So apparently a large cache of Lazada Thailand info is being touted on the web. Someone has seen a sample and said it looks legit.
it doesn't include credit card info, etc., but it does contain email addresses.
This means that attackers that gain access to that could send fake Lazada messages that look convincing to existing customers.
So if you are a Lazada user, be very careful to check any emails from them. Hover the mouse over the email address and the links to make sure they are legit.
Where possible use the Lazada website rather using links in emails.
IF you have any doubts about an email, contact Lazada Support.
*** I should add that, since Lazada are not being very forthcoming about it, you should change your password immediately. And don't change one character, pick a new, long, passphrase.
Last edited by harrybarracuda; 21-11-2020 at 04:27 PM.
Per this report, Shopee and Line were hacked as well. No shortage of bad cybersecurity news these days.
[Update-1] Lazada blames third party for data leak; leak affects Shopee and Line as well, Lazada says - Thai Enquirer
How are Thai hospitals handling the recent uptick in ransomware attacks against medical providers? Several US based healthcare systems have fared rather poorly.
"Hospitals and the healthcare industry have faced a flurry of cyberattacks over the past few months. In September, a ransomware attack shut down Universal Health Services, a Fortune-500 owner of a nationwide network of hospitals. And more recently, in October, several hospitals were targeted by ransomware attacks, including Klamath Falls, Ore.-based Sky Lakes Medical Center and New York-based St. Lawrence Health System."
Post-Cyberattack, UVM Health Network Still Picking Up Pieces | Threatpost
Anyone out there got True Online as their ISP?
And if so, do you by any chance have a Zyxel 660HN Router provided by them? (Check on the label).
More critical Chrome bugs.
High-Severity Chrome Bugs Allow Browser Hacks | Threatpost
Russians are favourites....
FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State - The New York TimesWASHINGTON — For years, the cybersecurity firm FireEye has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be.
Now it looks like the hackers — in this case, evidence points to Russia’s intelligence agencies — may be exacting their revenge.
FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.
Russian (state sponsored) hacking groups are in the news again. I imagine their, "cover your tracks" training is overdue.
"Russian government hackers are behind the breach at the US Treasury and Commerce departments, says a report."
"The hackers have been able to monitor email traffic within the departments for months, and it is not known how many other federal agencies they may have compromised.
Now the FBI is investigating the campaign by the hacking group working for the Russian foreign intelligence service, SVR, according to the Washington Post."
"The hackers, who are known as Cozy Bear or APT29, are reportedly the same group that hacked the White House and State Department under the Obama administration."
Russian government hackers behind breach at US treasury and commerce departments | The Independent
There is quite a lot of speculation that:
- They took FireEye's Red Team toolkit (proprietary Penetration testing tools - that were probably very good and were reported stolen, possibly a while back)
- They used these to get into the supply chain for updates to a product called SolarWinds Orion, which meant they could push malware with the customer updates.
- Having established a foothold on peoples' networks they could then do all manner of reconnaissance and data exfiltration.
- One article talks about them bypassing Microsoft Authentication, but if they had admin rights on the infrastructure, it would be easy to change the destination of two factor authentication requests.
It's a right mess and I look forward to the CISA report - under whoever baldy orange loser put in charge when he sacked the best man for the job (and his number two resigned).
Added: A chap called Brandon Wales. I bet his phone is ringing off the hook this morning.
I imagine Brandon Wales' phone has been ringing off the hook since November 18th.
Interesting article about him for people seeing that name for the first time.
After Krebs' dismissal, DHS’s cyber agency is led by career official Brandon Wales. For now.
Now it seems they used Orion to breach FireEye.
That's fucking embarrassing.
FireEye is considered one of the best malware sandboxes on the market today. The tool performs deep packet analysis through a full attack lifecycle and reports on any atypical modifications to applications or operating systems (OS) running on devices.
This is definitely going to have consequences for whoever did it. With this scale and sophistication, it's either Vlad or the chinkies.
SolarWinds Isn't the Only Way Hackers Entered Networks, CISA Says - Defense OneThe fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency.
The Cybersecurity and Infrastructure Security Agency, or CISA, released an alert Thursday through the U.S. Computer Emergency Readiness Team, or US-CERT, detailing what the agency currently knows about the attack. The alert calls out at least one other attack vector beyond SolarWinds products and identifies IT and security personnel as prime targets of the hacking campaign.
“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” officials wrote.
While the alert does not name suspects, officials offered a look into what is known about the attackers’ techniques and motivations.
“The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments,” the alert states. “CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.”
Between the potential depth of the intrusions, additional yet unknown attack vectors and the focus on IT and security personnel’s email, CISA officials warned organizations to maintain extra security around remediation discussions.
“Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures,” the alert states. “An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.”
The alert cites four versions of the SolarWinds Orion software that were found to be compromised. Those vectors have since been stitched shut, denying any new breaches but not remediating any deeper intrusions.
“Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease,” the alert states. “In the case of infections where the attacker has already moved [command and control] past the initial beacon, infection will likely continue notwithstanding this action.”
That last bit is the big worry for federal IT and security managers, as the SolarWinds Orion product was designed to access broad swaths of the network it is installed on. The alert notes the perpetrators were able to leverage their initial access to get more privileged access across agency networks, burrowing in deep before covering their trails.
“Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust [Security Assertion Markup Language] tokens from the environment,” the alert states. “These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces.”
The depth with which the attackers might have penetrated networks, combined with sophisticated masking—or “anti-forensic techniques”—means detection and remediations work will continue for some time.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” officials said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
However, officials have also discovered additional attack vectors beyond Orion products.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said. “CISA will update this alert as new information becomes available".
The alert offers some details on one other potentially related attacks discovered by security researchers at Volexity.
After FireEye published its findings on Dec. 13—the first public acknowledgement of the SolarWinds breaches—Volexity researchers were able to tie that intrusion to ongoing campaigns they had been tracking for years dubbed Dark Halo. Those attacks, using similar tactics, targeted U.S. think tanks as far back as 2019.
“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time,” researchers wrote in a Dec. 14 blog post. “Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication to access the mailbox of a user via the organization’s Outlook Web App service.”
In a statement, a Duo Security spokesperson clarified the “described incidents were not due to any vulnerability in Duo’s products.”
The attackers were able to get past the multifactor authentication security measures after compromising another service, “such as an email server,” they said.
It wasn’t until Dark Halo’s third attempt to access the think tank’s networks in June and July that researchers saw the SolarWinds Orion exploit.
“This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known,” CISA wrote in Thursday’s alert.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” CISA officials wrote. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”
The latest release also does not give any information on who the government believes is behind the attack. While several news outlets have cited anonymous government sources pointing to Russian government group Cozy Bear, also known as APT29, the alert offers no attribution, only a summation of the quality of the attackers’ work.
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” the alert states, noting that, “removing the threat actor from compromised environments will be highly complex and challenging.”
The alert also offers a comprehensive list of known infected SolarWinds Orion products and identified indicators of compromise.
perhaps......but why would there suddenly be consequences now?
the chinese and russians have been hacking US govt agencies for literally decades....and when the hacks are made public, the US govt. rarely even mentions the countries by name, much less retaliates.
the broad brush reason for this is that this is considered espionage...and the US is essentially doing the same thing 24/7/365.
the pentagon's budget is nearly $2 billion per day.....congress is likely going to pass a massive infrastructure package in Q1.....a significant portion of that needs to make it into cyber security.
the acting US defense secretary (appointed by trump days after he lost the election) just ordered a pentagon wide halt to any transition meetings with representatives of the incoming biden administration.
if trump's not a russian asset....tell me how he would act differently if he was.
You should probably post that in the Biden thread. As it has fuck all to do with this.
CISA has now said it affects companies other than SolarWinds customers, and they will release details when investigations are completed.
This is quite the global attack in reality.
44% of the known targets are IT, Software or Equipment vendors.
And they probably all provide updates to their customers.
Haven't heard yet whether any companies or governments in Asia were affected. Saw this today though, and wonder if it's an indication that Chinese orgs were affected as well.
"Chinese cybersecurity firm RedDrip Team published their findings on Github, saying its decoder tool had identified nearly a hundred suspected victims of the SolarWinds/Orion breach, including universities, governments and high tech companies."
Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’ — Krebs on Security
Confirmed:
Solarwinds
FireEye
Microsoft
VMWare
Cisco
Jungle drums suggest:
Fortinet
PaloAlto
Checkpoint
Of course some trumpanzee (probably on Parler) said Dominion used SolarWinds (they don't).
There are currently 4 users browsing this thread. (0 members and 4 guests)