It’s hard to believe that January is almost over, and as we head into February, it’s important to know that no matter the time of year, cyberthreats continue to present themselves to businesses and organizations of any size. This past month we have seen the repercussions of not using strong passwords, a new malware technique that can hijack your Google account, and a massive data dump revealing millions of passwords.
Here’s a look at some of the most important cybersecurity developments in January 2024:
Organizations Lack Strong Passwords
A recent survey by Axiad highlights a concerning lack of robust password hygiene and authentication practices among organizations, rendering them susceptible to phishing attacks. Despite 88% of IT professionals feeling confident in their companies’ preparedness for password-based cyberattacks, a majority acknowledges falling victim to such incidents.
The survey, which gathered responses from over 200 IT professionals across diverse sectors in the US, reveals that 39% consider phishing the most feared cyberattack, with almost half viewing it as the most likely threat. Despite these concerns, 93% of businesses continue to rely on passwords, citing reluctance to change (64%) and potential technology replacement (54%) as significant barriers to adopting alternatives. Blame for exploited passwords is attributed to various sources, including IT staff (35%), end users (32%), security teams (25%), and leadership (8%). Future technology plans indicate a shift towards password-less technology (45%) and multi-factor authentication (MFA) (27%).
Axiad’s co-CEO, Bassam Al-Khalidi, underscores the alarming results, emphasizing that despite the escalating cyber threats, most companies still rely on passwords. Al-Khalidi advocates for implementing password-less authentication and phishing-resistant MFA to bolster cybersecurity posture in the face of increased cybercriminal activity facilitated by generative AI.
Malvertising Scheme Spreading Ransomware
A hacking group known as Twisted Spider, or Storm-0216, has adopted a new malvertising scheme involving the use of a ransomware called CACTUS. Previously associated with QakBot’s infrastructure, a malware previously dismantled by law enforcement, the hacking group had to shift the tools they were using to hijack data. Utilizing Storm-1044 services, Twisted Spider infects target endpoints with the DanaBot initial access trojan, observed since November of 2023.
The DanaBot campaign employs a private version of the info-stealing malware, offering hands-on keyboard activity to partners for the theft of login credentials. After gaining access, Storm-1044 laterally moves across the network via RDP sign-in attempts, subsequently handing control to Twisted Spider. CACTUS ransomware is then deployed on infected endpoints, emerging as a preferred choice for many ransomware operators. Arctic Wolf researchers reported hackers abusing CACTUS through vulnerabilities in the Qlik Sense data analytics solution. CACTUS ransomware’s unique evasion method involves encrypting itself, making detection challenging and aiding in evading antivirus and network monitoring tools. First identified in March, CACTUS follows the typical ransomware approach of stealing sensitive data, encrypting systems, and demanding cryptocurrency payments for decryption keys and data privacy.
Data Dump Contains Millions of Passwords
A significant security alert has been triggered by a massive data dump containing millions of passwords. The dataset comprises 71 million credentials, including 25 million previously unseen passwords. Troy Hunt, the operator of Have I Been Pwned, a website used to check if your email credentials have appeared in a data breach, received information about Naz.API, a collection of one billion credentials consisting of 319 files (totaling 104GB and 70,840,771 unique email addresses). Impacting 427,308 subscribers, 65.03% of the email addresses were already present in Have I Been Pwned. Notably, 25 million passwords in the dataset had never been leaked before.
The dataset, known to be created by extracting data from stealer logs, revealed passwords in plaintext, many of which were simple and commonly used. The stolen data encompassed credentials linked to websites such as Facebook, Roblox, Coinbase, Yammer, and Yahoo. Troy Hunt has confirmed the accuracy of some of the usernames and passwords by contacting individuals on the list. However, it’s important to note that not all the data originated from malware; some had been in circulation for a significant period, including Hunt’s own email address and password dating back to pre-2011.
New Malware Attack Can Hijack your Google Account
This new security threat involves info-stealing malware strains, which are exploiting an undocumented Google OAuth endpoint named MultiLogin to compromise Google accounts. These malware strains employ a technique to restore expired authentication cookies, providing unauthorized access even after a password reset. The malware targets session cookies, containing authentication information with a short lifespan. These session cookies are, unfortunately, susceptible to restoration by specific malware.
Cybercriminals associated with Lumma and Rhadamanthys strains claim the capability to restore expired Google Authentication cookies. CloudSEK, a cybersecurity firm, conducted a reverse engineering analysis, revealing that the exploit utilizes the MultiLogin endpoint to extract tokens and account IDs from Chrome profiles. Stolen information, including a GAIA ID and encrypted tokens, is decrypted using an encryption stored in Chrome’s “Local State” file.
The compromised tokens, combined with Google’s MultiLogin endpoint, enable hackers to regenerate expired Google Service cookies, maintaining persistent access to compromised accounts. Google acknowledges the issue and recommends users sign out of the affected browser to revoke session cookies. Enhanced Safe Browsing in Chrome is advised for additional protection against malware and phishing attacks. Regularly changing the Google password is emphasized for enhanced account security. The adoption of session cookie restoration by malware underscores the importance of user vigilance, antivirus software usage, and the anticipation of more malware strains exploiting this feature.
Stay Protected with SWK
When discussing digital attacks, the name of the game is being proactive. Waiting until after a cyberattack effects your organization to bolster your digital defenses is simply too late. Hackers are never going to take a break, so neither can you. To stay on top of the constant cybersecurity developments that occur each month, contact SWK today and learn how you can protect your business from threats like these.