Related Posts
Toyota confirms customer and employee data stolen, says breach at third party to blame
Toyota confirms customer and employee data stolen, says breach at third party to blame
Last week, a cybercriminal using the handle ZeroSevenGroup dumped 240GB of data on the infamous stolen data site BreachForums, that they said came from a hack on the US branch of car manufacturer Toyota.
ZeroSevenGroup claims the dump includes customer and employee data.
ZeroSevenGroup posted the data
“We have hacked a branch in United State to one of the biggest automotive manufacturer in the world (TOYOTA).
We are really glad to share the files with you here for free.
Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data.
We also offer you AD-Recon for all the target network with passwords
We’re not kidding, we have been on the network for a long time..”
Toyota told BleepingComputer that a breach at a third party had led to the data theft. After they looked at the files, BleepingComputer concluded that they had been stolen or at least created on December 25, 2022.
The car vendor has already notified impacted individuals, but it did not provide technical details about the incident. According to Toyota:
“We are aware of the situation. The issue is limited in scope and is not a system wide issue. We have engaged with those who are impacted and will provide assistance if needed.”
Toyota and Toyota Financial Services have suffered several breaches in the past, so it’s hard to tell where and when the information was obtained more precisely.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Check your digital footprint
Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.
Russian Hackers Exploiting Windows Print Spooler Using GooseEgg Tool
Russian Hackers Exploiting Windows Print Spooler Using GooseEgg Tool
[[{“value”:”
Hackers abuse Windows Print Spooler vulnerabilities because it runs with elevated SYSTEM privileges, allowing privilege escalation.
Also, exploiting it enables remote code execution and credential theft.
Microsoft exposed the Russian threat actor Forest Blizzard (aka APT28, Sednit, Sofacy, and Fancy Bear), who has been using a custom tool called GooseEgg to elevate privileges and steal credentials by exploiting the CVE-2022-38028 PrintSpooler vulnerability since at least 2020.
Windows Print Spooler Vulnerability
Targeting government, education, and transportation sectors across Ukraine, Europe, and North America, Forest Blizzard leverages GooseEgg for post-compromise activities like remote code execution and lateral movement.
Although simple, GooseEgg’s ability to spawn elevated processes enables the pursuit of further malicious objectives.
Linked to Russia’s GRU intelligence agency, Forest Blizzard differs from other destructive GRU groups.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
After gaining initial access, Forest Blizzard uses GooseEgg to elevate privileges, typically deploying it via batch scripts like execute.bat or doit.bat, which set up persistence, Microsoft said.
While concealing activities, GooseEgg exploits CVE-2022-38028 to run malicious DLLs (often “wayzgoose”) or executables with SYSTEM permissions.
It copies driver stores to directories, mimicking software vendors under C:ProgramData for staging payloads.
Besides this, from the list below, a subdirectory name is selected:-
Microsoft
Adobe
Comms
Intel
Kaspersky Lab
Bitdefender
ESET
NVIDIA
UbiSoft
Steam
GooseEgg’s commands enable checking exploit success, custom version identification, and privilege escalation – supporting Forest Blizzard’s ultimate objectives of credential theft and maintaining elevated access on compromised targets.
After exploiting PrintSpooler, GooseEgg creates registry keys to register a rogue protocol handler and COM server.
It replaces the C: drive symbolic link to redirect PrintSpooler into loading a malicious MPDW-Constraints.js file patched to invoke the rogue protocol during RpcEndDocPrinter.
This launches the wayzgoose.dll malware with SYSTEM privileges.
This DLL is a simple launcher capable of spawning any application with elevated permissions. It enables the threat actor to install backdoors, move laterally, and execute code remotely on compromised systems.
By detailing these complex techniques, Microsoft exposes how Forest Blizzard abuses legitimate utilities to execute code and maliciously escalate privileges.
Recommendations
Here below we have mentioned all the recommendations:-
Harden credentials based on on-premises credential theft overview.
Activate EDR in block mode for proactive threat blocking.
Enable automated investigation and remediation for quick response.
Utilize cloud-delivered protection for up-to-date defense.
Block LSASS credential stealing.
Detect CVE-2021-34527 Print Spooler exploitation.
Search for suspicious files in ProgramData.
Identify processes creating scheduled tasks.
Look for constrained JavaScript files.
Monitor registry key and value creation.
Search for custom protocol handler activity.
IoCs
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
The post Russian Hackers Exploiting Windows Print Spooler Using GooseEgg Tool appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Cybersecurity M&A Roundup: 34 Deals Announced in January 2024
Cybersecurity M&A Roundup: 34 Deals Announced in January 2024
[[{“value”:”
Thirty-four cybersecurity-related merger and acquisition (M&A) deals were announced in January 2024.
The post Cybersecurity M&A Roundup: 34 Deals Announced in January 2024 appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed