Law enforcement authorities in the Netherlands have arrested two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what’s known as a “Fraud-as-a-Service” operation.

The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are said to have been the main developer and seller of the phishing frameworks that were employed to collect login data from bank customers. The attacks primarily singled out users in the Netherlands and Belgium.

The 15-year-old suspect has since been released from custody “pending further investigation,” Dutch police said.

Believed to be active since at least 2020, the cybercriminal syndicate has been codenamed “Fraud Family” by cybersecurity firm Group-IB. The frameworks come with phishing kits, tools designed to steal information, and web panels, which allow the fraudsters to interact with the actual phishing site in real time and retrieve the stolen user data.

“The phishing frameworks allow attackers with minimal skills to optimize the creation and design of phishing campaigns to carry out massive fraudulent operations all the while bypassing 2FA,” Group-IB Europe’s Roberto Martinez, senior threat intelligence analyst, and Anton Ushakov, deputy head of the high-tech crime investigation department, in a report, adding the gang “advertises their services and interacts with fellow cybercriminals on Telegram messenger.”

images from Hacker News

Nearly three weeks after Florida-based software vendor Kaseya was hit by a widespread supply-chain ransomware attack, the company on Thursday said it obtained a universal decryptor to unlock systems and help customers recover their data.

“On July 21, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident,” the company said in a statement. “Kaseya obtained the tool from a third-party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor.”

It’s not immediately unclear if Kaseya paid any ransom. It’s worth noting that REvil affiliates had demanded a ransom of $70 million — an amount that was subsequently lowered to $50 million — but soon after, the ransomware gang mysteriously went off the grid, shutting down their payment sites and data leak portals.

The incident is believed to have infiltrated as many as 1,500 networks that relied on 60 managed service providers (MSPs) for IT maintenance and support using Kaseya’s VSA remote management product as an ingress point for what has turned out to be one of the “most important cybersecurity event of the year.”

images from Hacker News

An advanced persistent threat (APT) actor has been tracked in a new campaign deploying Android malware via the Syrian e-Government Web Portal, indicating an upgraded arsenal designed to compromise victims.

“To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks,” Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du said in a technical write-up published Wednesday.

StrongPity, also codenamed Promethium by Microsoft, is believed to have been active since 2012 and has typically focused on targets across Turkey and Syria. In June 2020, the espionage threat actor was connected to a wave of activities that banked on watering hole attacks and tampered installers, which abuse the popularity of legitimate applications, to infect targets with malware.

“Promethium has been resilient over the years,” Cisco Talos disclosed last year. “Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.”

The latest operation is no different in that it underscores the threat actor’s propensity towards repackaging benign applications into trojanized variants to facilitate the attacks.

images from Hacker News

Organizations today must give attention to their cybersecurity posture, including policies, procedures, and technical solutions for cybersecurity challenges.

This often results in a greater burden on the IT service desk staff as end-users encounter issues related to security software, policies, and password restrictions.

One of the most common areas where security may cause challenges for end-users is password policies and password changes. What are these issues? How can organizations reduce end-user password change frustration? First, let’s consider the standard password policy, its role, and general settings affecting end-users.

What are password policies?

Most organizations today have a password policy in place. So, what is a password policy? Password policies define the types and content of passwords allowed or required of end-users in an identity and access management system. Various aspects of the password that businesses control may include the password’s required length, composition (requiring certain characters), password age, and disallowing the reuse of passwords used before.

Microsoft’s Active Directory Domain Services is arguably the most prevalent identity and access management system servicing on-premises environments today. Active Directory Password Policies allow businesses to control basic characteristics of end-user passwords with configurable password settings.

images from Hacker News

Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system.

Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that’s remotely exploitable without authentication. It’s worth noting that the weakness was originally addressed as part of an out-of-band security update in June 2019.

Oracle WebLogic Server is an application server that functions as a platform for developing, deploying, and running enterprise Java-based applications.

The flaw, which is rated 9.8 out of a maximum of 10 on the CVSS severity scale, affects WebLogic Server versions 11.1.2.4 and 11.2.5.0 and exists within the Oracle Hyperion Infrastructure Technology.

Also fixed in WebLogic Server are six other flaws, three of which have been assigned a CVSS score of 9.8 out of 10 —

• CVE-2021-2394 (CVSS score: 9.8)
• CVE-2021-2397 (CVSS score: 9.8)
• CVE-2021-2382 (CVSS score: 9.8)
• CVE-2021-2378 (CVSS score: 7.5)
• CVE-2021-2376 (CVSS score: 7.5)
• CVE-2021-2403 (CVSS score: 5.3)

images from Hacker News