M&S hackers believed to have gained access through third party

From bbc.com

The hackers behind a cyber-attack on Marks & Spencer (M&S) managed to gain entry through a third party who had access to its systems, the BBC understands.

The cyber-attack, which happened in April, has caused millions of pounds of lost sales for M&S and left it struggling to get services back to normal, with online orders paused for more than three weeks.

Read more…

Be careful what you pwish for – Phishing in PWA applications

From welivesecurity.com

ESET analysts dissect a novel phishing method tailored to Android and iOS users.

[They] discovered a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising.

The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard. After pressing the correct button, a phishing URL is sent via SMS. This was reported in a tweet, by Michal Bláha.

Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link.

Read more…

Sitting Ducks DNS attacks let hackers hijack over 35,000 domains

From bleepingcomputer.com

Threat actors have hijacked more than 35,000 registered domains in so-called Sitting Ducks attacks that allow claiming a domain without having access to the owner’s account at the DNS provider or registrar.

In a Sitting Ducks attack, cybercriminals exploit configuration shortcomings at the registrar level and insufficient ownership verification at DNS providers.

Researchers at DNS-focused security vendor Infoblox and at firmware and hardware protection company Eclypsium discovered that there are more than a million domains that can be hijacked every day via the Sitting Ducks attacks.

Read more…

LockBit’s Federal Reserve breach

Late yesterday, LockBit claimed the Federal Reserve Board as a victim. Exfiltrated data was claimed to be 33TB of data. No sample data was provided at the time of post. Ransom deadline: June 25th, 2024.

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

From darkreading.com

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.

A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it’s more economical and effective to simply use Microsoft’s own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers’ malicious behavior to more subtly mix in with legitimate network traffic.

This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.

Read more…

Apple’s iPadOS will have to comply with EU’s Digital Markets Act too

From techcrunch.com

The European Union will apply its flagship market fairness and contestability rules to Apple’s iPadOS, the Commission announced today — expanding the number of Apple-owned platforms regulated under the Digital Markets Act (DMA) to four and amping up regulatory risk for the tech giant by bringing its tablet ecosystem in scope.

Apple has six months to ensure iPadOS is compliant with the DMA.

The development could force significant changes on how it operates the tablet platform in the EU as Apple will have to ensure it’s complying with a sweep of DMA mandates, such as a ban on so-called “gatekeepers” being able to self-preference their own services and requirements to allow third party app stores, the sideloading of apps and support for third party payment options.

Apple will also need to open up access to non-WebKit versions of Safari to iPadOS in the next six months, as it has already done on iOS in another DMA compliance step. While business users reaching customers via the tablet platform will have a legal right to FRAND (fair, reasonable and non-discriminatory) terms.

Read more…

Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies

From securityweek.com

Okta over the weekend warned of a spike in credential stuffing attacks that use various anonymizing services, such as The Onion Router (Tor) network.

In credential stuffing attacks, usernames and passwords obtained from previous data breaches at third-parties, phishing, and other types of attacks are used to compromise valid accounts at the targeted organizations.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools,” Okta says.

Read more…