Versa Networks has fixed a zero-day vulnerability exploited in the wild that allows attackers to upload malicious files by exploiting an unrestricted file upload flaw in the Versa Director GUI. […] Read More
The all in one place for non-profit security aid.
Versa Networks has fixed a zero-day vulnerability exploited in the wild that allows attackers to upload malicious files by exploiting an unrestricted file upload flaw in the Versa Director GUI. […] Read More
Threat Actors Claiming Breach of Nokia Database
Threat actors have claimed responsibility for a breach of Nokia’s database.
The announcement was made via a tweet from the notorious hacker group H4ckManac, known for their previous cyber exploits.
The tweet, 2024, reads: “We have successfully breached Nokia’s database. Sensitive information is now in our hands. #NokiaHack #DataBreach”.
– Nokia
A potential data breach has been detected on a hacking forum: After Shopify, the threat actor is claiming a data breach at Nokia.
According to the post, in July 2024, Nokia suffered a data breach from a third party that exposed 7,622 rows of… pic.twitter.com/WgOGrIdUNi
— HackManac (@H4ckManac) July 9, 2024
According to cybersecurity experts, the breach appears to have compromised a substantial amount of sensitive data, including customer information, internal communications, and proprietary technology details.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The exact breach method remains unclear, but initial analyses suggest that the hackers may have exploited vulnerabilities in Nokia’s network infrastructure.
The hacker group has a history of targeting large corporations and has previously been linked to breaches involving financial institutions and tech companies.
This latest incident raises serious concerns about the security measures at Nokia, a global leader in telecommunications technology.
Nokia has yet to release an official statement regarding the breach.
However, sources within the company indicate that an internal investigation is underway.
The company is expected to collaborate with cybersecurity firms and law enforcement agencies to mitigate the damage and prevent further unauthorized access.
In the meantime, experts advise Nokia customers to remain vigilant and monitor their accounts for any unusual activity.
Users should also change their passwords and enable two-factor authentication where possible.
This code demonstrates how to generate and verify a Time-based One-Time Password (TOTP), adding an extra security layer to user authentication processes. Cybersecurity.
As the investigation into the Nokia breach continues, it serves as a stark reminder of the ever-present threats in the digital age.
Organizations must remain vigilant and proactive in their cybersecurity efforts to protect sensitive data and maintain customer trust.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post Threat Actors Claiming Breach of Nokia Database appeared first on Cyber Security News.
Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR
[[{“value”:”
In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.
Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.
The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.
Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).
The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.
The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:
powershell
$decodeKey = ‘<Base64_encoded_string>’
$encodedFilePath = ‘C:UsersakeithAppDataRoamingmicROSoftwbpgVnSBjsytaokmJqdVQplHfgwxyNmtaPX.gvzPlATqFe’
$decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)
for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {
$decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]
if ($payloadIndex -ge $decodeKey.Length) {
$payloadIndex = $decodeKey.Length
}
}
[System.Reflection.Assembly]::Load($decodedPayload)
[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()
This code reveals the malware’s methodology:
It utilizes a Base64-encoded string as a decryption key.
It targets a specific file path for encoded data.
It reads, decodes, and executes the encrypted payload.
The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…).
Further investigation uncovered randomly named folders within the AppDataRoamingMicrosoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.
The response involved several steps to contain and eliminate the threat:
Terminating the malicious PowerShell instance.
Deleting the identified folders containing encoded payloads.
Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.
A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.
As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.
Discover how ThreatDown MDR can safeguard your K-12 institution.
“}]] Read More
Malwarebytes
US offers $2.5 million reward for hacker linked to Angler Exploit Kit
The U.S. Department of State and the Secret Service have announced a reward of $2,500,000 for information leading to Belarusian national Volodymyr Kadariya (Владимир Кадария) for cybercrime activities. […] Read More