📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
September 1, 2023 By Brian Krebs Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States..US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, a
Hurricane season is here again. Hurricane “Idalia” in the Gulf tracking to hit Central / Northern Florida and a major Hurricane Franklin in the Atlantic Ocean (No threat to the USA). Here on the Virginia Coast we are getting rain from the remnants of Franklin. Later this week we will be getting the remnants from Idalia. Looks like a lot of rain and little wind all this week, it’s raining now here. Good weather to sleep all day. Stay safe @TylerM down in Florida. Looks like we both are going to have a lot of rain.
September 1, 2023 Topgolf Callaway (Callaway) suffered a data breach at the start of August, which exposed the sensitive personal and account data of more than a million customers.Callaway is an American sports equipment maker and seller specializing in golf equipment and accessories such as clubs, balls, bags, gloves, and caps.The company is present in more than 70 countries worldwide and has an annual revenue of over $1.2 billion. It employs roughly 25,000 people.In a letter sent to impacted individuals on August 29, 2023, the company explains that an IT system incident that occurred on August 1st has affected the availability of its e-commerce services and exposed certain customer information to an unauthorized entity.The company says that it detected the incident early on and took immediate action to contain it. Compromised customer data includes:Full names Shipping addresses Email addresses Phone numbers Order histories Account passwords Answers to security questionsThis impacts c
Today I was able to play a Roblox Game when Roblox began to update. During the update, Webroot popped up and asked me if I should block, allow or always allow. I clicked block and now everytime I start Roblox, this message will appear:“Failed to download or apply critical settings, please check your internet connection. Error info: HttpError: ConnectFail”I’ve searched up every method on how to fix this problem with Webroot blocking a certain file in Roblox and none of them solved my problem. I went to Application Protection and unblocked 5 Roblox files, the problem wasn’t solved. I went to Control Active Processes and the Roblox file was allowed, but the problem still wasn’t solved.I even reinstalled Roblox and the problem still wasn’t solved.The only thing I could do is disable Webroot to play Roblox.How do I solve this problem so Webroot can still be up while I play Roblox?
August 31, 2023 By Jonathan Greig Hackers are modifying the open source code of a popular malware strain, adding tools and functions that make it easier to steal data.Researchers at Cisco Talos said they have been tracking a number of variants of the SapphireStealer malware being used by multiple threat actors. The attacks typically steal sensitive information, including corporate credentials, which is then resold to other threat actors “who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.”Cisco Talos threat researcher Edmund Brumaghin told Recorded Future News that SapphireStealer has been observed across public malware repositories with increasing frequency since its initial public release in December 2022. >> Full Article <<
Five Eyes nations warn of hit against Ukrainian military systems August 31, 2023 By Jessica Lyons Hardcastle Russia's Sandworm crew is using an Android malware strain dubbed Infamous Chisel to remotely access Ukrainian soldiers' devices, monitor network traffic, access files, and steal sensitive information, according to a Five Eyes report published Thursday.The Sandworm gang, which Western government agencies have previously linked to Russia's GRU military intelligence unit, was behind a series of attacks leading up to the bloody invasion of neighboring Ukraine. They've continued infecting that country and its allies' computers with data wipers, info-stealers, ransomware, and other malicious code ever since.Ukraine's security agency spotted and blocked Sandworm's latest campaign earlier this month when the Kremlin-backed cyber goons were attempting to use Infamous Chisel to break into the army's combat data exchange system. This attempt involved ten samples of the malware, all designe
The Kinsing threat group has launched more than 1,000 cyberattacks in less than two months, exploiting a security vulnerability in the internal corporate messaging app in order to upload the malware and a cryptominer. August 31, 2023 By Elizabeth Montalbano The Kinsing cybercrime group is back with a new attack vector: Pummeling a previously disclosed path traversal flaw in the Openfire enterprise messaging application to create unauthenticated admin users. From there, they gain full control of Openfire cloud servers, and can upload the malware and a Monero cryptominer to compromised platforms.Researchers from Aqua Nautilus have observed more than 1,000 attacks in less than two months that exploit the Openfire vulnerability, CVE-2023-32315, which was disclosed and patched in May, they revealed in a blog post this week. However, just last week the CISA added the flaw to its catalog of known exploited vulnerabilities. >> Full Article <<
August 31, 2023 By Pieter Arntz The UK's National Cyber Security Centre (NCSC) has issued a warning about the risks of integrating large language models (LLMs) like OpenAI’s ChatGPT into other services. One of the major risks is the possibility of prompt injection attacks.The NCSC points out several dangers associated with integrating a technology that is very much in early stages of development into other services and platforms. Not only could we be investing in a LLM that no longer exists in a few years (anyone remember Betamax?), we could also get more than we bargained for and need to change anyway.Even if the technology behind LLMs is sound, our understanding of the technology and what it is capable of is still in beta, says the NCSC. We barely have started to understand Machine Learning (ML) and Artificial Intelligence (AI) and we are already working with LLMs. Although fundamentally still ML, LLMs have been trained on increasingly vast amounts of data and are showing signs of m
August 31, 2023 By Pierluigi Paganini Multinational mass media conglomerate Paramount Global suffered a data breach after an unauthorized party accessed files from certain of its systems.Multinational mass media conglomerate Paramount Global disclosed a data breach.According to the data breach notification letter sent to the impacted individuals, an unauthorized party accessed files from certain systems of the company between May and June 2023.Paramount Global launched an investigation into the incident and determined that threat actors had access to some files containing some personal information.The personal information may have included name, date of birth, Social Security number or other government-issued identification number (such as driver’s license number or passport number) and information related to the relationship of the impacted individuals with Paramount. >> Full Article <<
August 31, 2023 By Help Net Security ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF.Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications — the malicious apps are FlyGram and Signal Plus Messenger. >> Full Article <<
August 31, 2023 By Bill Toulas Forever 21 clothing and accessories retailer is sending data breach notifications to more than half a million individuals who had their personal information exposed to network intruders.The company is operating 540 outlets worldwide and employs roughly 43,000 people.A sample of the data breach notice shared with the Office of the Maine Attorney General says that the company detected a cyberattack on several of its systems on March 20.The investigation revealed that hackers had intermittent access to Forever 21 systems between January and March this year and leveraged this access to steal data.“The investigation revealed that an unauthorized third party accessed certain Forever 21 systems at various times between January 5, 2023, and March 21, 2023,” reads the notice. >> Full Article <<
By Shunichi Imano and James Slaughter | August 31, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.This edition of the Ransomware Roundup covers the Rhysida ransomware. Affected platforms: Microsoft WindowsImpacted parties: Microsoft Windows UsersImpact: Encrypts and exfiltrates victims’ files and demands ransom for file decryptionSeverity level: High Rhysida Ransomware OverviewRhysida ransomware is a new ransomware group that uses a Ransomware-as-a-Service (RaaS) model consisting of developers who create and provide ransomware, the infrastructure needed to operate it, and affiliates who execute attacks against victims. Its first ransomware sample was submitted to a public file scanning service
Aug 30, 2023, 3:41 PM EDTOMNY lets you tap a phone or bank card to ride the subway — and lets anyone with the card number see where you’ve been. Photo by Amelia Holowaty Krales / The VergeNew York’s OMNY subway pass system is supposed to make the lives of its riders easier, but as a 404 Media investigation highlights, it makes tracking your movement a little bit too easy — posing dangers for anyone at risk of stalking or harassment.If you tap a bank card to ride the subway, a “trip history” feature on the OMNY website will reveal your past seven days’ worth of trips — including the time and station of entry — to anyone with access to your card number and expiration date. Since it’s not unusual for card numbers to be compromised either online or through someone (like a housemate or partner) briefly getting access to a wallet, that creates an easy-to-miss security hole for people facing things like intimate partner violence. 404 was also able to track trip history for people who rode the
August 30, 2023 By THN New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework.The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month.Microsoft's container architecture (and by extension, Windows Sandbox) uses what's called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files.It's nothing but an "operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. >> Full Article <<
GitHub Enterprise Server 3.10 released with additional security capabilities, including support for custom deployment rules. August 30, 2023 By Ionut Arghire GitHub on Tuesday announced the general availability of Enterprise Server 3.10 with new security capabilities, including support for custom deployment rules.With the new release, GitHub Projects is now generally available in Enterprise Server, providing administrators with increased visibility over issues and pull requests.Now, teams using GitHub Actions can also create their own custom deployment protection rules, to ensure that only “the deployments that pass all quality, security, and manual approval requirements make it to production,” the code hosting platform explains. >> Full Article <<
August 30, 2023 By Sergiu Gatlan Hackers are targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in credential stuffing and brute-force attacks that take advantage of lapses in security defenses, such as not enforcing multi-factor authentication (MFA).Last week, BleepingComputer reported that the Akira ransomware gang was breaching Cisco VPNs for initial network access.Rapid7 security researchers have provided additional insights regarding these incidents in a report published on Tuesday, revealing that attackers have been directing their efforts towards these devices since March of this year in brute force attacks designed to guess the targets' login credentials. >> Full Article <<
August 30, 2023 By Jonathan Greig The LockBit ransomware gang continues to dominate headlines and cause concern among cybersecurity experts with a spate of attacks on critical organizations, governments and businesses.On Wednesday, the gang took credit for an attack on the Commission des services electriques de Montréal (CSEM) — a 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal.The organization confirmed the incident on Tuesday, writing in a statement that it was hit with ransomware on August 3 but refused to pay the ransom. It contacted national authorities and law enforcement in Quebec while making every effort to restore its systems. Its IT infrastructure has already been rebuilt, the company said. >> Full Article <<
