A massive data leak that includes information from several past breaches with a staggering 12 terabytes of data, covering at least 26 billion records, is available on the dark web. This breach involved user data from platforms such as LinkedIn, Twitter, Weibo, Tencent, and others, making it the largest data leak ever identified. Continue reading this Cybersecurity Threat Advisory for actions to take to secure user accounts from possible cyberattacks.

What is the threat?

This threat incorporates records from thousands of carefully compiled and reindexed leaks, breaches, and privately traded databases. The recently identified database of leaked data is a substantial 12 terabytes in size, earning it the title “MOAB” or Mother of All Breaches.

Why is it noteworthy?

The MOAB doesn’t seem to consist solely of newly stolen data; it’s likely the largest compilation of multiple breaches (COMB). Although the team identified over 26 billion records, duplicates are highly probable. However, the leaked data goes beyond just credentials; a considerable portion contains sensitive information, making it valuable for malicious actors.

What is the exposure or risk?

Malicious actors could exploit the consolidated data for various types of attacks, such as identity theft, sophisticated phishing schemes, targeted cyberattacks, and gaining unauthorized access to personal and sensitive accounts. This situation involves compiled records from numerous past breaches and data leaks. Notably, the leaked information encompasses records from various government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries. An increase in credential stuffing attacks is anticipated in the coming weeks as a consequence of this breach.

What are the recommendations?

Barracuda recommends taking the following measures to help secure your organization’s user accounts from this MOAB:

  • It is highly advised for users to remain vigilant and prioritize their cybersecurity practices. Ensuring good credential hygiene, and enabling two-factor authentication where possible, is essential for maintaining security. If you haven’t done so yet now is an excellent time to start implementing these measures.
  • Ensure that everyone employs robust and difficult-to-predict passwords.
  • Add an extra layer of security by enabling multi-factor authentication on all crucial accounts.
  • Stay alert to potential phishing and spear phishing attempts, and exercise caution when interacting with emails and messages.
  • Regularly review and eliminate password duplicates to enhance security.
  • Immediately implement new protective measures for accounts that share the same passwords to strengthen their security

Given the surge of incidents within the past decade, many people are becoming familiar with ransomware and data breaches. However, a new type of cyberattack known as killware has emerged in recent years, and it’s now a major security issue for organizations. But what does the term “killware” actually mean? Let’s take a look:

Killware and industries that are vulnerable to these attacks

Security Magazine describes killware as a cyberattack that is deployed with the intent of producing real-life risk to communities through the manipulation of operational technology (OT). Put simply, killware attacks can be lethal or physically damaging to human life because they target critical infrastructure.

For example, suppose that a city’s public transportation system gets hacked, and services are halted. The transit company can handle the situation by fulfilling the attackers’ ransom request so that public safety isn’t endangered, but it’s likely that someone may get injured while the services are stopped.

As businesses continue to digitalize operations, threat actors will have more opportunities to execute killware attacks given their ability to access systems more easily. The U.S. Department of Homeland Security (DHS) suggests that hospitals, power grids, banks, police departments, etc. are considered primary killware targets because thousands of people can be put at risk. Essentially, highly networked industries and organizations are more susceptible to these types of attacks.

Killware vs. malware: What’s the difference?

Both killware and malware can seem fairly similar in nature, however, they’re different in terms of their end goals and the ways in which they are defined. Different forms of malware are typically defined based on the tactic used (e.g., phishing or crypto jacking), whereas killware is generally defined by its ultimate outcome and any type of method such as ransomware can be used in the execution process. In addition, most cybercriminals undertake malware campaigns hoping for monetary gain, but killware attacks are designed to inflict physical harm on others.

In today’s digital age, the use of technology continuously evolves to make our personal and professional lives more convenient. Quick Response (QR) code has been one such advancement. This two-dimensional barcode allows users to share website URLs and contact information or make payments. While QR codes have made our daily lives easier, they have also opened new avenues for cybercriminals to exploit. Also known as quishing, QR code phishing attacks are on the rise and present a significant threat to users and organizations alike.

How cybercriminals are using QR codes in email attacks

Hackers use QR codes in email attacks to trick recipients into visiting malicious websites or downloading malware onto their devices. These attacks typically involve social engineering tactics designed to exploit the trust that people often place in emails. Here are some examples of the tactics that cybercriminals are using:

Phishing links

Attackers embed QR codes in phishing emails, prompting users to scan the code and visit a fake page that appears to be a trusted service or application. Victims are usually tricked into entering their login credentials, which are then captured by an attacker.

Fake QR codes may also lead to surveys or forms that request personal information such as name, address, or Social Security number. Victims might be lured with promises of rewards or prizes in exchange for information or even a small payment.

The holiday season is here, and organizations are facing an increased risk of cyberthreats with a notable focus on the activities of access brokers. These threat actors specialize in gaining and selling unauthorized access to organization accounts by orchestrating social engineering campaigns and exploiting seasonal vulnerabilities. There has been a significant surge in access broker activity, especially towards the end of the year. Cybercriminals are capitalizing on the distracted workforce, reduced staff, and operational changes that are typical during the holiday season.

During the holiday season, cyber-threats intensify, with increased online activities and vulnerabilities. Ransomware, constituting nearly 25 percent of malicious attacks in 2023 with average costs exceeding $5 million, strategically exploits the holiday period, taking advantage of limited IT support for impactful network exploitation and ransomware propagation.

Access brokers are a notable threat during this season and actively participate in sophisticated social engineering campaigns, exploiting vulnerabilities, and orchestrating well-crafted attacks. Phishing escalates, creating a surge in promotional emails and mimicking seasonal content, such as order and tracking emails, charity requests, and holiday event messages. Spear-phishing campaigns see a notable uptick as well, boasting an average click-through rate of 11 percent.

Concurrently, Distributed Denial of Service (DDoS) attacks proliferate, with approximately 7.9 million incidents recorded globally in the first half of 2023, marking a 31 percent increase from the previous year. These attacks strategically target eCommerce businesses and financial institutions during holiday peaks, aiming to disrupt operations in industries experiencing a surge in internet traffic.

This Cybersecurity Threat Advisory highlights a new security flaw that has recently been discovered in Atlassian’s Confluence Data Center and Server, which could result in significant data loss if exploited. Tracked as CVE-2023-22518, this vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described by Atlassian as an “improper authorization vulnerability.”

What is the exposure or risk?

All versions of Confluence Data Center and Server are at risk of being affected by this vulnerability. Because Confluence sites are only accessible via an atlassian.net domain, there is no impact to confidentiality because attackers are unable to exfiltrate data from that domain. Versions outside of the support window, including those which have reached the end of their services (or End of Life, when manufacturers no longer support that type of hardware) may also be affected.

Several serious security flaws have been found in the Veeam ONE platform for analytics and IT infrastructure monitoring. These vulnerabilities may result in data breaches, illegal access, and NTLM hash theft. To fix these problems, Veeam has published security patches and issued a warning. Read this Cybersecurity Threat Advisory on recommendations to mitigate risks and protect Veeam environments.

Multiple vulnerabilities have been found in Veeam ONE, an IT infrastructure monitoring and analytics platform. CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 affect Veeam ONE versions 11, 11a, and 12. CVE-2023-38549 affects only Veeam ONE 12.

The initial two vulnerabilities, CVE-2023-38547 and CVE-2023-38548, are rated critical. CVE-2023-38547 can permit an unauthenticated user to access Veeam ONE’s configuration database’s SQL server connection information, potentially leading to remote code execution on the SQL server. CVE-2023-38548 enables unprivileged Veeam ONE Web Client users to obtain the access token of a Veeam ONE Administrator. These weaknesses might permit aggressors to take NTLM hashes and exploit other security shortcomings. Veeam has recognized these issues and delivered security updates to address the weaknesses.

What is the exposure or risk?

These vulnerabilities come with significant risk and exposure. Attackers may be able to obtain sensitive data exfiltration, compromise vital systems, and obtain unauthorized access to an organization’s IT infrastructure if they are successful in their exploit. The effect of a breach may increase if NTLM hashes are stolen since they may allow for more exploitation and lateral movement throughout the network. A successful attack may result in reputational harm as well as monetary losses.

What is the threat?

The wiper, named “BiBi-Windows Wiper”, has been used by a pro-Hamas hacker group in the wake of the ongoing Israel-Hamas war.

BiBi-Windows Wiper is part of a wider data-wiping attack on Israeli computers destroying data on both Linux and Windows systems. It is primarily targeting the education and technology sectors. The wiper malware also causes irreversible data corruption and operational disruption on almost all files. The malware simply overwrites the original file with random bytes to prevent their recovery, followed by renaming the files using a ten-character long sequence of random letters containing the “BiBi” string, with no possible method to recover it. The malware also switches off the “Error Recovery” mode and deactivates the “Windows Recovery” feature.