Tag Archives: Security

Posted on Author Atlantic Computer Services Categories Blog

RDP Brute Force Attacks Blocked By Windows 11

A small but important feature was recently incorporated by the Windows 11 design team.  A new Account Lockout Policy enabled by default has been added.  This policy automatically locks user accounts (including Admin accounts) after ten failed sign-in attempts.

The account remains in a locked state for ten minutes, requiring users to wait that amount of time before they can try again.

The addition was made in a bid to prevent or at least minimize the risk of brute force attacks being made against systems. This is used in instances where different passwords are tried in rapid succession until an attacker gets a hit and is given some level of access on a target system.

It’s an excellent change because many human operated ransomware attacks rely on simple, brute force methods. Statistics gathered on the subject by the FBI indicate that between 70 to 80 percent of network breaches are because of brute force attacks.

The above describes the default settings, but Admins will have a great degree of flexibility in terms of deciding the exact policy.  The number of unsuccessful attempts before lockout can be varied. The lockout duration can be varied. The option to disable Admin accounts can be toggled on or off. Of course, the entire policy can be disabled if an Admin so desires.

Interestingly, Windows 10 has a similar lockout policy but it is not enabled by default, which is the important change here.

We regard this as another of those small but important changes that the Windows 11 team is making designed to make the new OS better, safer, and more secure than anything that Microsoft has released previously.

Kudos to the Microsoft engineers who are working tirelessly to ensure Windows 11 is a smashing success.  If the preview we’ve gotten to this point is any indication, it certainly will be!

0
Posted on Author Atlantic Computer Services Categories Blog

New Android Malware Disables WiFi To Attempt Toll Fraud

There’s a new threat to be aware of if you own an android device.  Microsoft recently warned that their researchers had spotted a new toll fraud malware strain wreaking havoc in the Android ecosystem.

Toll fraud is a form of billing fraud. It is a scheme whereby bad actors attempt to trick unsuspecting victims into either calling or sending an SMS to a premium number.

In this case, however, the scheme doesn’t work over WiFi so it forces the device the user is on to connect to the mobile operator’s network.

What typically happens in a non-scam situation is that if a user wants to subscribe to paid content, they need to use WAP (Wireless Application Protocol) and they need to switch from WiFi to the mobile operator’s network.

Most of the time, the network operator will send a one-time password for the customer to confirm their choice.

The threat actors running this scam don’t do that.  The toll fraud malware makes the switch automatically and without informing the user.  In fact, it actively suppresses warnings that might alert the user to what’s going on.  The result is that the user winds up with a hefty bill for a service they didn’t even know they were signing up for.

This is accomplished via JavaScipt injection which is hardly new. Although in this case, it’s being implemented in a novel fashion and is designed to keep the whole operation as discreet as possible.

The following items happen completely under the radar:

  • Disabling the WiFi connection
  • Navigation to the subscription page and auto clicking the subscription button
  • Intercepting the one-time password in cases where one is used
  • Send the OTP code to the service provider as necessary
  • And cancelling SMS notifications

This is a tricky one to defend against, so be sure your employees are aware and on the lookout for mysterious charges on their accounts.

0
Posted on Author Atlantic Computer Services Categories Blog

WordPress Plugin Leaves Sites Vulnerable

Researchers at Defiant authored the popular Wordfence security solution for WordPress users and they have detected a massive campaign that has seen hackers actively scanning for websites employing the Kaswara Modern WPBakery Page Builder plugin.

The plugin was recently abandoned by the creative team behind it before receiving a patch for a critical security flaw.

The flaw, tracked as CVE-2021-24284 would allow an attacker to inject a malicious Javascript into any site using any version of the plugin, which would allow the uploading and deletion of files that could easily lead to a complete takeover of the site targeted.

What makes this campaign so impressive is the fact that the hackers have scanned more than a million and a half sites so far, searching for vulnerable targets.  Fortunately, only a tiny percentage of sites scanned have been running the vulnerable plugin.

Based on the data collected, the campaign appears to have started on July 4th of 2022, and is ongoing to this day.  The attacks originate from more than ten thousand unique IP addresses, indicating a large, organized group of attackers. The identity of the group behind the campaign is not known at this time.

The bottom line here is simple.  If you are running this plugin, we recommend stopping immediately and uninstalling it. Since it has been abandoned by its authors, there’s no fix coming and no matter how helpful it may have been to you, it’s just not worth the risk.

Even if some other group adopts the plugin later, there’s no telling how long it might take for that to happen. Even if it did, there’s no way to know how long it might take them to develop a patch for it.  For now then, your best bet is to treat this plugin as toxic and steer clear of it.

0
Posted on Author Atlantic Computer Services Categories Blog

Skimmers Are Stealing Credit Card Information From US Restaurants

If you eat out or are in the habit of ordering take-out on a regular basis, be aware.

Recently, a large, well-organized web-skimming campaign has been uncovered that allowed hackers to swipe the payment card details for more than 300 restaurants, impacting more than 50,000 customers.

Web-skimmers are sometimes called Magecart malware and they are bits of JavaScript that collects credit card data when shoppers enter their card data on the checkout page on an online payment portal.

This latest campaign was brought to light by researchers at Recorded Future, who noticed suspicious activity on the ordering portals of InTouchPOS, Harbortouch, and MenuDrive.

There have been two distinct campaigns so far, with the first one beginning on January 18 of 2022 and impacting 80 different restaurants using MenuDrive and another 74 that were utilizing Harbortouch’s platform.

Big chains don’t typically use platforms like these, so most of the impacted restaurants were small, local operations widely scattered across the United States.  In both campaigns just mentioned, the web skimmer malware code was discovered on the restaurant’s web pages and its subdomain on the payment portal’s platform.

In the case of Harbortouch, a single malicious JavaScript was used, while two different scripts were deployed against MenuDrive users.

The second campaign targeted InTouchPOS beginning on November 12 of 2021, but most of the actual attacks occurred in January 2022.  Here, no details were stolen from the site itself but rather, the attackers overlaid a fake payment form on top of the legitimate one and harvested payment details that way.

Recorded Future reports that both campaigns appear to be ongoing, and the firm has alerted all impacted entities.  At the time this piece was written, they had not received a response back from anyone.

In any event, if you order online from a local eatery near you, keep a watchful eye on your account.  Your payment data may have been compromised.

0
Posted on Author Atlantic Computer Services Categories Blog

Large Scale Okta Phishing Campaign Targets Many Organizations

According to ongoing research by Group-IB, a massive phishing campaign is currently underway.

This is a campaign that has impacted no less than 130 organizations across a broad range of industries. These include but are not limited to professional recruiting firms and companies connected to finance and technology.

Some of the companies targeted include giants in their respective fields such as:

  • TTEC
  • Best Buy
  • HubSpot
  • Evernote
  • Riot Games
  • AT&T
  • Epic Games
  • Microsoft
  • Twitter
  • Slack
  • Verizon Wireless
  • MetroPCS
  • Twilio
  • MailChimp
  • Klaviyo
  • And T-Mobile

This comes with an unsuccessful attempt to breach Cloudflare’s network as well.

The phishing campaign utilizes a kit that has been code-named ‘Oktapus,’ and has been underway since at least March of this year (2022).  As the Group-IB report indicates, it has many tentacles indeed.  So far, the group behind the campaign has been able to steal nearly ten thousand login credentials and use these to gain access to targeted networks.

The attack begins simply enough, as many such attacks do.  The target receives an SMS message with a link to a web page.  This page appears to be legitimate.  It is a precise copy of a corporate webpage, utilizing all the right branding and logo images.

Invariably, users are presented with a login box and are promoted to enter their account credentials and two-factor authentication codes if applicable.  Doing so hands that information over to the hackers controlling the site, giving them another login to abuse.

Okta is a perfectly legitimate and in fact, widely respected Identity-as-a-service (IDaaS) platform that allows users to employ a single login to access all software assets in their company.  Unfortunately, hackers have discovered a means of abusing that to steal customer data, which is then used to conduct additional attacks, targeting firms in the supply chain of the initially targeted company.

Even if your company isn’t connected to any of the industries the hackers have targeted thus far, be sure your IT staff is aware of this threat.

0
1 4 5 6 7 8 155