A botnet of more than 130,000 compromised devices is conducting a large-scale password-spray cyberattack, targeting Microsoft 365 accounts through a basic authentication feature.
The attacks have been recorded in non-interactive sign-in logs, something that the researchers at Security Scorecard note is often overlooked by security teams. Threat actors are able to exploit this feature by conducting high-volume password spraying attempts while going virtually undetected.
Non-interactive sign-ins are completed on behalf of the user, performed by a client app or operating system components, and do not require the user to provide any authentication. Rather, the user is automically authenticated using previously established credentials.
Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations, said Jason Soroko, senior fellow at Sectigo, in an emailed statement to Dark Reading.
They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.
This tactic separates itself from traditional password spray attacks, which often result in account lockouts, prompting investigation by security teams. By exploiting non-interactive sign-ins, threat actors are given more time to infiltrate a system before the alarms are ever sound, and typically succeed against even the most robust security environments.
This tactic has been observed by the researchers across multiple M365 tenants across the world.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet
The fake websites trick users into downloading and running malware that searches for personal information, especially anything related to crypto currency.
Threat actors are leveraging brand impersonation techniques to create fake websites mimicking DeepSeek, an AI chatbot from China that launched just a month ago. Their goal? Getting users to divulge personal and sensitive information.
A significant number of imposter sites imitating DeepSeek have already popped up, according to researchers at ThreatLabz, including deepseeksol[.]com, deepseeksky[.]com, deepseek[.]app, deepseekaiagent[.]live, and many more.
The attack chain involves the fraudulent DeepSeek website asking visitors to complete a registration process. Once done, the user is directed to a fake CAPTCHA page. Malicious JavaScript copies a malicious PowerShell command to the user’s clipboard, which, if run, downloads and executes the Vidar information stealer, allowing it to exfiltrate sensitive data such as passwords, cryptocurrency wallets, and personal files.
“The malware employs social media platforms, such as Telegram, to conceal its C2 infrastructure,” noted the researchers in a blog post.
They added that the malware is programmed to search for files and configurations specifically related to cryptocurrency wallets. If detected, Vidar will query “specific registry keys and file paths to exfiltrate sensitive data such as wallet files.” The malware also actively searches the victim’s system for other assets, such as stored cookies and saved login credentials.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
CISOs shouldn’t be shy about what they need from the board, as organizations with mutual board-CISO understanding are better positioned to tackle cybersecurity challenges successfully.
There has been an extremely strong focus of late on organizational boards’ concerns about cyber threats. This focus has come alongside amplified regulatory attention, much of which pushes for stronger board engagement on cybersecurity. As a result, board directors are increasingly asking questions of their CISOs.
In November 2023, the New York Department of Financial Services (NYDFS) finalized its modifications to 23 NYCRR Part 500. While this legislation was groundbreaking for being very prescriptive in what cyber controls are required, there was in earlier drafts indications that each board should have suitably cyber-qualified members.
As a result, questions about cybersecurity practices are cascading into risk committees in every enterprise, with CISOs at the center.
But the CISO is already in the ‘hot’ seat, navigating a very challenging role that requires both deep expertise and experience. To ensure CISOs are equipped to meet this challenge, boards must look beyond what they need from their CISOs to address what CISOs need from them as well.
What the board wants from the CISO
The board has very specific expectations from their chief information security officer that center on effective risk management and communication. Most of all they want transparency and truth. This requires translation skills, as the CISO must translate complex cybersecurity risks into clear business terms and potential impacts that board members can understand and act on.
While clear and concise risk communication is essential, boards also expect regular updates on the organization’s security posture, critical threats, and vulnerabilities that could affect business objectives, all explained without technical jargon.
Let’s remember that board members have a personal liability at stake and they want to see strategic leadershipthrough along-term security strategy that aligns with business goals, supported by clear metrics and cost-effective resource allocation. It is paramount for CISOs to remember this motivation when talking to the board.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Cloud adoption, tool integrations, and AI are spurring significant changes in how security information and event management (SIEM) systems are evolving.
Security information and event management AI (SIEM) platforms have evolved far beyond their basic log collection and correlation roots.
With cyber threats moving too fast for manual intervention, leading vendors have been integrating artificial intelligence and machine learning technologies into their SIEM platforms.
In addition, modern SIEM platforms now incorporate extended detection and response (XDR) and security orchestration, automation, and response (SOAR), enabling real-time threat detection and automated remediation.
SIEMs have become a platform to monitor log data for anomalies and suspicious events before triggering alerts based on unusual behavior and detection rules.
“[SIEM] often serves as the workspace for security analysts to investigate incidents that are correlations of alerts with other contexts such as asset information, vulnerabilities, and threat intelligence,” according to analyst group IDC. “IDC expects that in the future, the SIEM will also be the response center of the SOC with automated handling of many incidents via playbooks.
And as enterprise cloud use continues to rise, Google’s Cloud Cybersecurity Forecast predicts that SIEM products will become central to enterprise SOCs (security operations centers) ingesting “everything from cloud logs to endpoint telemetry.”
Joe Turner, global director of research and business development at market intelligence firm Context, notes that larger attack surfaces and more sophisticated attacks are spurring enterprises to invest in SIEM in combination with other technologies, including XDR and SOAR, as a platform to correlate, detect, and remediate threats. As such, his firm reports that the SIEM market grew 20% in 2024.
SIEM, XDR, and SOAR convergence
The convergence of SIEM with security tools such as XDR and SOAR is a major factor driving growth in the market.
SIEM provides log analytics and broad visibility, XDR extends detection across endpoints and cloud, and SOAR orchestrates response.
When SIEM detects a security incident, SOAR triggers automated response actions via XDR — isolating compromised endpoints, disabling compromised user accounts, or blocking malicious traffic in real-time.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829750/4-key-trends-reshaping-the-siem-market.html
To ensure minimal business disruption, CISOs must have the right incident recovery strategies, roles, and processes in place. Security experts share tips on assembling your playbook.
When a company experiences a major IT systems outage — such as from a cybersecurity incident — it’s essentially out of business for however long the downtime lasts. That’s why having an effective incident response (IR) plan is vital.
It’s not just a matter of finding the source of an attack and containing it, though. Enterprises need to design for resilience to be able to continue operating even as key systems become unavailable.
What goes into an effective incident response plan? Here are some suggestions of essential components.
Perform impact analysis to ensure business resiliency and continuity
When a security breach brings down key systems, companies need to have a solid IT resiliency or business continuity (BC) plan in place. If the business is down for even a few hours that could lead to big financial losses and negative public relations.
0 seconds of 26 minutes, 3 secondsVolume 0%
“One of the key components of the development of a business continuity plan is to understand the essential functions your organization performs, and what the impacts would be if they were disrupted,” says Justin Kates, senior business continuity advisor for convenience store operator Wawa, who is responsible for architecting a new BC program for Wawa’s expanding footprint of more than 1,000 stores across 10 states.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829684/how-to-create-an-effective-incident-response-plan.html
The flaws allow attackers to use a serialization oversight to compromise systems for remote code execution.
CISA is warning Adobe and Oracle customers about in-the-wild exploitation of critical vulnerabilities affecting the services of these leading enterprise software providers.
The US cybersecurity watchdog added vulnerabilities in Adobe ColdFusion (CVE-2017-3066) and Oracle Agile Product Lifecycle Management (PLM) (CVE-2024-20953) to its known exploited vulnerabilities (KEV) catalog on Monday.
“These type of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in the advisory.
Deserialization demons still haunt Adobe web development
The Adobe ColdFusion flaw flagged by CISA is an old Java deserialization bug in the Apache BlazeDS library, which received a critical severity rating of CVSS 9.8 out of 10 because it enables arbitrary code execution.
Adobe disclosed CVE-2017-3066 in April 2017 along with hotfixes for all the affected versions, including Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier.
“These hotfixes include an updated version of the Apache BlazeDS library to mitigate the Java deserialization vulnerability,” Adobe said in an advisory at the time.
In a 2018 blog post, Code White researchers detailed vulnerabilities in Adobe ColdFusion (versions 11 and 12), focusing on deserialization issues within the Action Message Format (AMF) used by ColdFusion for data exchange. Before CVE-2017-3066, they had discovered, ColdFusion lacked class whitelisting, allowing attackers to exploit java.io.Externalizable for remote code execution.
CISA did not disclose specific details of exploitation for security reasons, waring all organizations to promptly patch vulnerable systems against potential threats.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Research shows various ways to classify CISOs based on role expectations, strengths and experience – distinctions that matter when it comes to ensuring that security leaders land in jobs where they will succeed.
When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers.
The company instead hired a highly technical CISO, one who worked like the hands-on architect Gerchow had been but lacked the leadership skills that were needed to calm clients when a security event eventually occurred. That skills deficit left the CEO scrambling to fill the void and customers feeling dissatisfied.
The story shows that the CISO was the wrong type for the role, says Gerchow, faculty at IANS Research and interim CISO/head of trust at MongoDB. The anecdote and Gerchow’s observations highlight the idea that leaders — including business executives broadly and CISOs in particular — can be classified into different types.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Panicking bank customers is neither difficult nor expensive, as a recent study shows, suggesting that CISOs must also keep disinformation campaigns in mind.
The British research organization Say No To Disinfo has simulated an AI-driven disinformation campaign in cooperation with communications specialists Fenimore Harper. As part of the campaign, 500 bank customers in the UK were confronted with synthetic “rumours” about their financial institution.
The motivation behind the simulation was to ascertain whether fake news campaigns based on generative AI could trigger “bank runs” in the future — such as occurred against the Silicon Valley Bank in the US.
The results of the study underline AI’s ominous potential in this area:
- Almost 61% of study participants who consumed the fake news were fundamentally willing to withdraw their money from the respective bank.
- Just over 33% of respondents rated this as “very likely,” and another 27% as “probable.”
- Translated into financial expenditure, according to the study, a £10 investment in AI content generation (around US$13) can be enough to “shift” assets worth £1 million.
“With the help of AI tools, we generated false headlines whose narratives were intended to play on existing fears and biases. The key message was: ‘Customer funds are not safe,’” explain the study authors.
According to their report, the experts primarily used the short message service X to spread masses of corresponding posts and memes.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829738/ai-can-kill-banks.html
Investigation revealed that BingX, & Phemex hacks were also connected to the same cluster as Bybit’s, confirming the threat actor’s identity as the Lazarus group.
An independent investigation into the $1.5 billion hack suffered by the Bybit cryptocurrency exchange on Friday has revealed connections to the infamous Lazarus group.
A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group.
“At 19.09 UTC today, @zackxbt submitted definitive proof that this attack on Bybit was performed by the Lazarus Group,” said a Saturday X post by Arkham Intelligence, the blockchain analysis firm that awarded ZackXBT a bounty for their discovery.
Bybit is the world’s second-largest cryptocurrency exchange by trading volume, with over 50 million registered users worldwide as per a September 2024 report.
Connection confirmed by transactions prior to the attack
ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which Arkham added in the X post.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3831315/bybits-1-5b-hack-linked-to-north-koreas-lazarus-group.html
Less than a year after US issued ban on all Kaspersky products, Australia prohibits its use across government agencies due to unacceptable security risk.
The Secretary of the Department of Home Affairs issued on Friday a mandatory direction under the Protective Security Policy Framework (PSPF) to government entities requiring all to prevent the installation of Kaspersky products and web services from its devices and to remove existing ones.
In the directive signed by Stephanie Foster on 17 February, Foster stated that after considering threat and risk analysis, “I have determined that the use of Kaspersky Lab products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage. I have also considered the important need for a strong policy signal to critical infrastructure and other Australian governments regarding the unacceptable security risk associated with the use of Kaspersky Lab, Inc. products and web services.”
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
