Related Posts
New Flame Stealer Malware Attacking Users to Steal Credit Card Data
New Flame Stealer Malware Attacking Users to Steal Credit Card Data
A new malware named “Flame Stealer” has been making waves in the cybersecurity community, posing a significant threat to users’ financial and personal data.
Developed in C and C++, this sophisticated software was first announced on Telegram on April 14, 2024, and has since been evolving with claims of being undetectable by conventional antivirus tools.
Extensive Data Stealing Capabilities
Flame Stealer is designed to be an extensive data thief, capable of stealing a wide range of sensitive information. According to a ThreatMon tweet, the malware can capture login information, new emails, passwords, credit card details, and PayPal information.
New Malware: Flame Stealer
Flame Stealer, malware developed in C and C++, was first announced on Telegram on 14 April 2024. This software, which continues to be developed, draws attention with its claim that it is undetectable.
Features of Flame Stealer:
Extensive Data… pic.twitter.com/u8gtat6loL
— ThreatMon (@MonThreat) August 1, 2024
This stolen data is transmitted instantly to a designated webhook or Telegram channel, ensuring that the cybercriminals receive the information in real-time.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
The malware remains constantly active on infected systems through automatic re-injection, making it a persistent threat.
Targeting Popular Platforms
One of the most alarming features of Flame Stealer is its ability to target popular platforms such as Discord, Spotify, Instagram, TikTok, and Roblox.
It captures login credentials and steals cookies, passwords, autofill data, and credit card information from these platforms. This broad targeting scope increases the risk for many users, especially those who frequently use these services.
The malware also collects information about browser extensions, Discord accounts, connections, bots, and servers, adding another layer of data theft.
Flame Stealer employs advanced methods to avoid detection by antivirus and security software, making it particularly dangerous. It takes screenshots of the user’s desktop and steals visual data at critical moments, such as when users enter sensitive information.
Additionally, it targets digital assets by stealing wallet information and capturing entered Two-Factor Authentication (2FA) codes, posing a threat to users’ online security. The malware also collects detailed information about the infected computer, including private accounts and digital entitlements like Fivem accounts.
As Flame Stealer develops and adapt, cybersecurity experts urge users to remain vigilant and take necessary precautions to protect their data.
Regular updates to security software, cautious online behavior, and awareness of potential threats are crucial in mitigating the risks posed by this new malware.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
The post New Flame Stealer Malware Attacking Users to Steal Credit Card Data appeared first on Cyber Security News.
Massive Ticketmaster, Santander Data Breaches Linked to Snowflake Account Hacks
Massive Ticketmaster, Santander Data Breaches Linked to Snowflake Account Hacks
Hackers have claimed responsibility for a massive data breach involving Ticketmaster and Santander Bank, potentially affecting over 590 million accounts.
The breach, linked to a Snowflake employee’s compromised credentials, has raised serious concerns about the security of cloud storage services.
The breach reportedly exposed the personal information of 560 million Ticketmaster users and 30 million Santander customers.
The compromised data includes full names, email addresses, phone numbers, and hashed credit card numbers, with some information dating back to the mid-2000s.
Today we spoke with multiple individuals privy to and involved in the alleged TicketMaster breach.
Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider. The TicketMaster breach was not…
— vx-underground (@vxunderground) May 30, 2024
The hacker group ShinyHunters has claimed responsibility for the breach and has attempted to sell the data on the dark web for $500,000.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
According to cybersecurity firm Hudson Rock, the breach originated from the stolen credentials of a single Snowflake employee.
The hacker bypassed the authentication service Okta and generated session tokens to access a trove of information stored on Snowflake’s cloud platform.
This method allowed the hacker to infiltrate Ticketmaster and Santander and potentially hundreds of other Snowflake customers, including major brands like AT&T, HP, Instacart, DoorDash, NBCUniversal, and Mastercard.
Snowflake has disputed Hudson Rock’s findings, asserting that the breach did not originate from any vulnerability within its systems.
The company acknowledged that a former employee’s demo account was accessed using stolen credentials but maintained that this account did not contain sensitive information.
Snowflake emphasized that its production and corporate systems are protected by stringent security measures, including multi-factor authentication, which were not in place for the demo account.
Impact on Santander and Ticketmaster
Santander confirmed that certain customer information in Spain, Chile, and Uruguay had been accessed but stated that no transactional data or credentials that would allow transactions were compromised.
The bank has notified regulators and is cooperating with law enforcement in its investigation.
The ticketmaster has yet to confirm the extent of the breach publicly. However, the cybercriminals claim to have accessed information belonging to more than half a billion customers, including partial credit card details.
The breach has put Ticketmaster under significant scrutiny, with customers and regulators demanding answers.
The breach has highlighted the vulnerabilities associated with cloud storage services and the importance of robust security measures.
The incident has also brought attention to the hacker group ShinyHunters, which has a history of high-profile data breaches, including those involving Microsoft and AT&T.
The group’s activities underscore the growing threat of cyberattacks and the need for continuous vigilance and improvement in cybersecurity practices.
The massive data breaches at Ticketmaster and Santander, linked to compromised Snowflake accounts, serve as a stark reminder of the critical importance of cybersecurity.
Snowflake recently issued guidance on identifying and stopping unauthorized user access.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post Massive Ticketmaster, Santander Data Breaches Linked to Snowflake Account Hacks appeared first on Cyber Security News.
Hackers Modifying Registry Keys to Establish Persistence via Scheduled Tasks
Hackers Modifying Registry Keys to Establish Persistence via Scheduled Tasks
Persistence is one of the key things for threat actors to maintain their access to compromised systems and establish connections whenever they require. One of the key methods used to maintain persistence is the use of scheduled tasks.
A threat actor who is identified as “HAFNIUM” has been discovered to be using an unconventional method to tamper with scheduled tasks for establishing persistent connections by modifying the registry keys in their Tarrask malware. This enables the threat actor to create stealthy scheduled tasks
Hackers Modifying Registry Keys
According to the reports shared by the Purple team, a proof of concept called GhostTask has been published, which exploits the scheduled tasks via a beacon object file that can enable red teamers and threat actors to use it within a C2 framework.
The scheduled task tampering technique is re-created by creating the associated registry keys that prevalently required elevated privileges. GhostTask requires a scheduled task that already exists in the target system.
Once the registry keys are modified, the system requires a restart for changes to take effect. Still alternatively, the schtasks utility can be used to initiate the task and establish persistence.
Windows Events
This technique relies on modifying the registry keys; hence, registry events enabled from the Group Policy must be audited. Additionally, the TaskCache registry key containing new or modified scheduled tasks must be monitored for any changes.
Auditing the registry keys provides log visibility whenever a registry key is accessed or modified that is captured under the event IDs 4657 (Registry Value Modification) and 4663 (Registry Object Access).
Registry
Scheduled tasks created by manipulating the registry keys do not appear in the Task Scheduler or the schtasks /query command. Though it can be hidden by the deletion of the SD registry key, it requires SYSTEM-level privileges that can result in detection opportunities in terms of privilege escalation.
Furthermore, a complete report about this scheduled task tampering has been published, which provides detailed information about the report from Microsoft, attack methods, techniques, exploitation, and other information.
The post Hackers Modifying Registry Keys to Establish Persistence via Scheduled Tasks appeared first on Cyber Security News.
Cyber Security News