LockBit, Babuk, and Hive ransomware used by Russian to target critical US organizations, DOJ says.
Related Posts
Hackers Stolen 2M+ User’s Data Via XSS & SQL Injection Attacks
Hackers Stolen 2M+ User’s Data Via XSS & SQL Injection Attacks
[[{“value”:”
A large-scale cyber attack was launched to steal and market confidential user information, focusing mainly on the APAC region’s employment agencies and retail firms.
A group of hackers called ResumeLooters initiated a campaign aimed at job seekers. The hackers’ identities remain unknown, and their primary objective was to target and exploit vulnerabilities in the job-seeking process.
Group-IB, a cybersecurity company, recently discovered that a group of hackers, ResumeLooters, compromised 65 websites during November and December 2023.
Document
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Like GambleForce, ResumeLooters primarily targets the Asia-Pacific – over 70% of known victims are located in the region (India, Taiwan, Thailand, Vietnam, and other countries, as seen below in Figure 2).
ResumeLooters
ResumeLooters SQL injection & XSS as Attack Vectors
The threat actor attempts to steal user databases that may include names, phone numbers, emails, DOBs, information about job seekers’ experience, employment history, and other sensitive personal data.
By employing XSS Attacks, the hackers intended to load additional malicious scripts from the associated malicious infrastructure and display phishing forms on legitimate resources.
By using SQL injections, the group has stolen data from 65 websites. The stolen files contained 2,188,444 rows, of which 510,259 were user data stolen from job search websites.
To launch attacks, they used various penetration testing tools such as sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch.
ResumeLooters tried to inject XSS scripts into all possible web forms of the targeted websites.
Malware Infrastructre
“Throughout our research, we found several pieces of evidence supporting the first version. The attackers’ server, among other pieces of stolen data, stored a file named AdminJobApprovalGrid.aspx_2023_11_23_02_02_39.html.”
The attackers created a fake employer profile on one of the legitimate websites identified by Group-IB (https://jobs[redacted]co/company-detail/248). Within one of the fields in this profile, ResumeLooters could inject the XSS script referencing 8r[.]ae, which is also displayed on the site’s main page.
According to Group-IB, the malicious server is 139.180.137[.]107. We found logs of several penetration testing tools on this server, including sqlmap.
The emergence of ResumeLooters underscores the pernicious potential of a select few publicly available tools. Its impact is a cautionary tale for organizations seeking to protect sensitive information.
Such tools pose a severe threat to data confidentiality, integrity, and availability and require a multi-layered approach to safeguard against such attacks.
Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.
The post Hackers Stolen 2M+ User’s Data Via XSS & SQL Injection Attacks appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Critical Vulnerability In AI-As-A-Service Provider Let Attackers Access Sensitive Data
Critical Vulnerability In AI-As-A-Service Provider Let Attackers Access Sensitive Data
A critical vulnerability was found in the Replicate AI platform that could have exposed the private AI models and application data of all its customers.
The vulnerability stemmed from challenges in tenant separation, a recurring issue in AI-as-a-service platforms.
By exploiting this, attackers could have gained unauthorized access to user prompts and the corresponding AI results, as the security flaw was responsibly disclosed to Replicate and promptly addressed, with no customer data compromised.
Replicate, a platform for sharing AI models, allows users to upload containerized models using their Cog format, including a RESTful API server, potentially enabling malicious code execution.
Remote Code Execution on Replicate’s infrastructure using a malicious Cog container.
Researchers created a malicious Cog container and uploaded it to Replicate, achieving remote code execution on Replicate’s infrastructure.
This highlights a potential vulnerability in AI-as-a-service platforms, where untrusted models can be a source of attacks.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Similar techniques were previously used to exploit Hugging Face’s managed AI inference service.
Finding pre-established TCP connection via `netstat`.
An attacker gained root privileges within a container on Replicate’s Kubernetes cluster, as the container shared its network namespace with another container with an established connection to a Redis server.
Pre-established TCP connection with Redis server in Replicate’s network.
By exploiting CAP_NET_RAW and CAP_NET_ADMIN, the attacker used tcpdump to identify the Redis connection, confirmed it was plaintext, and then aimed to manipulate the shared Redis queue to impact other replicate customers potentially.
According to the Wiz Research Team, the attacker lacked credentials for direct access and devised a plan to inject packets into the existing authenticated connection.
The authors exploited a vulnerability in a shared Redis server to gain unauthorized access to customer data by injecting TCP packets containing Redis commands to bypass authentication.
While modifying existing entries in the Redis stream proved difficult due to its append-only nature, the authors were able to manipulate the data flow.
They achieved this by injecting a Lua script that identified a specific customer request, removed it from the queue, altered the webhook field to point to a malicious server they controlled, and then reinserted the modified request back into the queue, which allowed them to intercept and potentially alter the prediction results sent back to the customer.
Lua script injected to Redis’ TCP stream.
A critical vulnerability in Replicate’s AI platform allowed attackers to potentially steal proprietary knowledge or sensitive data from customer models through malicious queries.
Moreover, attackers could manipulate prompts and responses, compromising the models’ decision-making processes.
This vulnerability threatened the integrity of AI outputs and could have had severe downstream impacts on users who rely on those models.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post Critical Vulnerability In AI-As-A-Service Provider Let Attackers Access Sensitive Data appeared first on Cyber Security News.
Unpacking cyber awareness syndrome.
Unpacking cyber awareness syndrome.
The Cyberspace Solarium Commission looks at obstacles to public-private collaboration in the industrial sector. Malware in the industrial sector increases. Organizations plan to increase their OT cybersecurity budgets. CISA and its partners have released a Joint Guide to Securing Remote Access Software. And the US DoD holds its Cyber Yankee exercise.
Today’s guest is Will Edwards of Schweitzer Engineering Labs discussing cyber awareness syndrome.
The Learning Lab has the conclusion off the discussion between Dragos’ Mark Urban, Principal Adversary Hunter Kyle O’Meara, and Principal Intelligence Technical Account Manager Michael Gardner on threat hunting. Read More
The CyberWire