More stories

  • in

    A hacker is selling access to the email accounts of hundreds of C-level executives

    Image: Ryoji Iwata
    A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world.

    The data is being sold on a closed-access underground forum for Russian-speaking hackers named, ZDNet has learned this week.
    The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as:
    CEO – chief executive officer
    COO – chief operating officer
    CFO – chief financial officer or chief financial controller
    CMO – chief marketing officer
    CTOs – chief technology officer
    Vice president
    Executive Assistant
    Finance Manager
    Finance Director
    Financial Controller
    Accounts Payables
    Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role.

    The seller’s ad on
    Image via KELA
    A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.
    The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell.
    These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

    Sample login provided by the seller as public proof
    Image via KELA

    The seller refused to share how he obtained the login credentials but said he had hundreds more to sell.
    According to data provided by threat intelligence firm KELA, the same threat actor had previously expressed interest in buying “Azor logs,” a term that refers to data collected from computers infected with the AzorUlt info-stealer trojan.
    Infostealer logs almost always contain usernames and passwords that the trojan extracts from browsers found installed on infected hosts.
    This data is often collected by the infostealer operators, who filter and organize it, and then put it on sale on dedicated markets like Genesis, on hacking forums, or they sell it to other cybercrime gangs.
    “Compromised corporate email credentials can be valuable for cybercriminals, as they can be monetized in many different ways,” KELA Product Manager Raveed Laeb told ZDNet.
    “Attackers can use them for internal communications as part of a ‘CEO scam’ – where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme; or, these credentials can also be exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion,” Laeb added.
    But, most likely, the compromised emails will be bought and abused for CEO scams, also known as BEC scams. According to an FBI report this year, BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year.
    The easiest way of preventing hackers from monetizing any type of stolen credentials is to use a two-step verification (2SV) or two-factor authentication (2FA) solution for your online accounts. Even if hackers manage to steal login details, they will be useless without the proper 2SV/2FA additional verifier. More

  • in

    Donaldson gets permanent appointment as INSLM

    Australian Attorney-General Christian Porter announced on Friday the permanent appointment of Grant Donaldson as the fourth Independent National Security Legislation Monitor (INSLM).
    Donaldson was Solicitor-General for Western Australia between 2012 and 2016, and has been acting in the new role since July while arrangements for his permanent appointment took place.
    As the name suggests, INSLM looks into the operation and effectiveness of Australia’s national security and counter-terrorism laws.
    In his final report before retiring, former INSLM Dr James Renwick recommended Australia create an independent body to oversee approval of warrants for the nation’s encryption-busting legislation, the Telecommunications and other Legislation Amendment (Assistance & Access) Act 2018 (TOLA Act).
    Renwick had flagged at the start of the year that he would not be recommending the laws be overturned.
    In August, the Australian Federal Police said it used the voluntary powers in the law, where law-enforcement ask carriers for assistance, three times in the 2019-20 fiscal year.
    “Our experience is that Schedule 1 of TOLA has accelerated cooperation from industry, with providers increasingly willing to assist due to TOLA providing legal certainties and assurances regarding the commercial scope and impact of requests,” the AFP said at the time.

    “The fact the AFP has not sought any [compulsory notices] to date, does not indicate these provisions are not required. Rather, it demonstrates the effectiveness of TOLA’s tiered approach.”
    Related Coverage More

  • in

    Personal data of 16 million Brazilian COVID-19 patients exposed online

    Image: Stefan Schranz
    The personal and health information of more than 16 million Brazilian COVID-19 patients has been leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub this month.

    Among the systems that had credentials exposed were E-SUS-VE and Sivep-Gripe, two government databases used to store data on COVID-19 patients.
    E-SUS-VE was used for recording COVID-19 patients with mild symptoms, while Sivep-Gripe was used to keep track of hospitalized cases.
    The two databases contained sensitive details such as patient names, addresses, ID information, but also healthcare records such as medical history and medication regimes.
    The leak came to light after a GitHub user spotted the spreadsheet containing the passwords on the personal GitHub account of an employee of the Albert Einstein Hospital in the city of Sao Paolo.
    The user later notified Brazilian newspaper Estadao, which analyzed the data and notified the hospital and the Brazilian Ministry of Health.
    Estadao reporters said that data for Brazilians across all 27 states was included in the two databases, including high profile figures like the country’s president Jair Bolsonaro, the president’s family, seven government ministers, and the governors of 17 Brazilian states.

    The spreadsheet was ultimately removed from GitHub while government officials changed passwords and revoked access keys to resecure their systems.
    Since the onset of the COVID-19 pandemic, several governments and government contractors have had problems securing their COVID-19-related apps and databases.
    Vulnerabilities and leaks were discovered in COVID-19 apps and systems used in Germany [1, 2], Wales, New Zealand, India, and others.
    According to research published by Intertrust this September, around 85% of COVID-19 contact tracing apps leak data in one way or another. More

  • in

    Sophos notifies customers of data exposure after database misconfiguration

    UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.

    “On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” the company said in an email sent to customers and obtained by ZDNet.
    Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).
    A Sophos spokesperson confirmed the emails earlier today and told ZDNet that only a “small subset” of the company’s customers were affected but did not provide an approximate number.
    Sophos said it learned of the misconfiguration from a security researcher and fixed the reported issue right away.
    “At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers,” the company said. “Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. ”
    This is the second major security incident Sophos has dealt with this year. In April, a cybercrime group discovered and abused a zero-day in the Sophos XG firewall to breach companies across the world. The attackers deployed the Asnarok trojan, and once the zero-day was publicly disclosed, they attempted to deploy ransomware — but eventually failed.

    Image supplied by source More