• AWS Security Incident Response aims to tackle the challenge of addressing various security incidents
• Looks to lessen strain on cybersecurity teams
• Available to AWS customers across the world now

Amazon Web Services (AWS) has launched a new service to help businesses address the issues of cybersecurity and cyberattacks.

AWS Security Incident Response is designed to help businesses prepare for, respond to, and recover from different security incidents such as account takeovers, data breaches, and ransomware attacks.

AWS argues addressing various security events has gotten too cumbersome. Between a flood over daily alerts, time-consuming manual reviews, errors in coordination, and problems with permissions, many businesses struggle to contain their security challenges.

Cutting down on time spent

“There is an opportunity to better support customers and remove various points of undifferentiated heavy lifting that customers face during security events,” the blog reads.

Therefore AWS introduced a tool that, first and foremost, automatically triages security findings from GuardDuty and supported third-party tools through Security Hub to identify high-priority incidents requiring immediate attention. Through automation, and customer-specific information, the tool can filter and suppress security findings based on expected behavior.

Furthermore, it aims to simplify incident response by offering preconfigured notification rules and permission settings. Users get a centralized console with different features such as messaging, secure data transfer, and more. Finally, AWS Security Incident Response offers automated case history tracking and reporting, which allows IT teams to focus on remediation and recovery.

AWS Security Incident Response is now available via the AWS management console and service-specific APIs in 12 AWS Regions globally: US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Seoul, Singapore, Sydney, Tokyo), Canada (Central), and Europe (Frankfurt, Ireland, London, Stockholm).

Incident response is critically important for businesses, especially in an era of increasing cybersecurity threats and reliance on digital infrastructure. It minimizes downtime and financial loss, protects the business’ reputation, ensures regulatory compliance, and keeps customer trust.

Via TechCrunch

You might also like

• Consolidating your incident response plan against cyber attacks
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Security researchers from Trustwave discover new phishing kit capable of stealing Microsoft 365 accounts
• Rockstar 2FA can relay MFA codes and obtain session cookies
• The service is being offered on the dark web for just $200

There is a worrying new phishing kit that enables cybercriminals to go after people’s Microsoft 365 accounts, even those protected by multi-factor authentication (MFA). It is called “Rockstar 2FA”, and it goes for $200 on the dark web.

Cybersecurity researchers from Trustwave recently discovered, and analyzed the new kit, noting how since August 2024, it has been aggressively promoted on Telegram and among other cybercriminal communities.

The kit’s developers claim it supports Microsoft 365, Hotmail, GoDaddy, SSO, and offers randomized source code and links to evade detection. Furthermore, it uses Cloudflare Turnstile Captcha to screen the victims and make sure it’s not sandboxed or analyzed by bots.

Bypassing MFA and stealing cookies

Phishing, as a method of attack, hasn’t changed much over the years. Crooks send out emails with fake documents, or fabricate urgent warnings the users need to address immediately, or face the consequences. As a result of hasty actions, the victims end up infecting their devices with malware, losing sensitive data, granting valuable access to cybercriminals, and more.

To counter this method, most businesses these days deploy multi-factor authentication , a second layer of authentication that prevents unauthorized access, even when the crooks steal the login credentials. Criminals, on the other hand, responded by creating adversary-in-the-middle (AiTM) methodology, something Rockstar 2FA integrated, as well.

By using the phishing kit, the attackers can create fake Microsoft 365 login pages. When the victim enters their credentials there, they are automatically relayed to the legitimate login page, which then returns the request for MFA. The phishing page returns that request back to the victim, ultimately leading to the account being compromised.

Finally, Rockstar 2FA will grab the authentication cookie being sent from the service to the user, allowing the attackers to remain logged in.

Since May 2024, which seems to be the kit’s date of origin, it set up more than 5,000 phishing domains, the researchers concluded.

Via BleepingComputer

You might also like

• This dangerous new phishing kit is hitting victims across Europe
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Interpol announces Operation HAECHI V, which lasted five months
• The operation resulted in the arrest of dozens of people, and seizure of millions of dollars
• 40 countries and regions around the world participated

Over the past five months, Interpol and its national partners have arrested more than 5,500 individuals and seized over $400 million stolen through various cybercrime campaigns and fraud schemes. The international law enforcement agency confirmed the news in a press release published late last week.

As per the announcement, the police have been engaged in Operation HAECHI V since July last year. This operation targeted seven types of cyber-fraud: voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise, and e-commerce fraud.

Interpol did not list any names, but it did say that it helped Korean and Beijing authorities dismantle a voice phishing organization that cost more than 1,900 people around $1.1 billion. The operation resulted in the arrest of at least 27 group members, and the indictment of 19 of them.

Stopping payments

It also said it dismantled a crypto scam, in which victims were first coaxed into buying a “stablecoin” called Tether (USDT) from a legitimate service provider. A stablecoin’s value is tied to that of a fiat currency, such as the US dollar, and its value is always the same as its fiat counterpart. Then, the victims were enticed into “investing” that stablecoin, which is where the crooks would steal the funds.

Finally, it used its Global Rapid Intervention of Payments (I-GRIP) stop-payment mechanism to save a business from wiring $42.3 million to the fraudsters. The victim had already transferred the money, but Interpol managed to intercept the majority of the funds, and recover the rest later during investigation.

“The effects of cyber-enabled crime can be devastating - people losing their life savings, businesses crippled, and trust in digital and financial systems undermined,” commented Interpol Secretary General Valdecy Urquiza.

“The borderless nature of cybercrime means international police cooperation is essential, and the success of this operation supported by INTERPOL shows what results can be achieved when countries work together. It’s only through united efforts that we can make the real and digital worlds safer.”

Law enforcement firms in roughly 40 countries and regions participated in HAECHI V.

You might also like

• Consolidating your incident response plan against cyber attacks
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers found 15 predatory loan apps on the Play Store
• These apps promise cheap and quick loans, and then extort money and harass their victims
• The apps have since been removed

Another 15 Android applications from the SpyLoan malware family were discovered, and subsequently removed, from the Google Play Store. Unfortunately, by the time they were identified and ousted, they amassed millions of installations around the world.

SpyLoan apps are also called “predatory loan apps.” They trick the victims into losing money in a somewhat different fashion. Once installed, they will still ask permission to gain access to things like contacts lists, SMS, camera, call logs, and the device’s location.

However, the apps are advertised as personal finance software, promising users quick and flexible loans with low rates and minimal requirements.

Targeting South America and Asia

These rates and requirements are fraudulent, and if the user accepts the service, they will end up paying high-interest rates. If they appeal, they will be harassed, blackmailed, and will even have their family members dragged into it, as well.

McAfee’s researchers found 15 apps, who cumulatively had eight million downloads between them. The top four had a million installations each. The full list of malicious apps can be found on McAfee’s blog here.

The apps primarily targeted people in South America, Southeast Asia, and Africa. The top four apps, with four million downloads between them, were designed for users in Mexico, Colombia, and Senegal. Once the user installs the app, it will send a one-time passcode which it uses to identify the victim’s location, and thus decide whether to proceed or not.

The scariest part about this campaign is that the apps were found on Google’s official repository, the Play Store. Google is usually quite stringent when it comes to mobile apps, and quick to remove any offenders. As such, it has built a reputation of a trusted repository. These SpyLoan apps are another proof that consumers should not blindly trust anyone, not even Google, and should always verify.

To make sure an app is legitimate, make sure to check its rating, the number of downloads, and the reviews. Also, make sure the reviews aren’t randomly generated by bots. Ultimately, read a few lowest-rated reviews, to see what other users were most dissatisfied with.

Via BleepingComputer

You might also like

• These malicious Android loan apps could leave millions of users seriously out of pocket
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• An NHS children's hospital has been hit by a data breach
• The data breach is likely part of a ransomware attack on the hospital
• The hospital has confirmed it is not connected with last weeks attack on a Wirral Hospital

A children’s hospital in Liverpool is investigating claims of a ransomware attack after an alleged data breach was discovered on the dark web. The infamous group INC Ransom have taken credit for the breach.

Alder Hey Children’s Hospital is one of Europe’s busiest hospitals, treating over 450,000 patients per year, but luckily is not reporting any patient disruptions as a result of the potential breach.

The data leaked online reportedly consists of 11 screenshots which evidence a data breach of ‘large scale’. This includes donation records, procurement data, and patient’s medical records, including personally identifiable information such as names, addresses, and hospital numbers.

An isolated incident

Despite being the latest in a string of cyber attacks targeting NHS organizations, Alder Hey has confirmed that this incident is not related to the attack on Wirral University Teaching Hospital which occurred just a few days prior.

The staff at Alder Hey are working alongside the UK’s National Crime Agency (NCA) and other agencies to verify the data impacted by the breach, and the repercussions of the attack.

“We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact.” Alder Hey said in a statement.

The average demand has soared to over $1.5 million, with recovery often costing double that figure. Hospitals and healthcare organizations are an attractive target for ransomware attacks since they hold sensitive information and offer a critical service, the disruption of which can have serious consequences for patients and staff.

Via The Guardian

You might also like

• Take a look at our pick of the best antivirus software around
• One of the nastiest ransomware groups around may have a whole new way of doing things
• Check out our choices for best malware removal software

• Bologna issued a short statement, confirming suffering a cyberattack
• RansomHub assumes responsibility, says the club had virtually zero defenses
• The group claims to have stolen financial, medical, and other data

Bologna FC, an Italian football club playing in the country’s elite rank, Serie A, suffered a devastating ransomware attack in which crooks stole a lot of sensitive information.

The club confirmed the news in a short statement published, in Italian, on its website.

“Bologna Football Club 1909 Spa announces that its security systems have recently been the subject of a ransomware cyber attack, on a cloud server and in the internal perimeter,” says a machine translation of the announcement.

"Bologna doesn't have any data protection"

“This criminal action has led to the theft of company data that could be subject to publication. Anyone who comes into possession of such data is therefore warned against disseminating or sharing or making any other use of such data as it comes from a crime," the statement continued.

While the club didn’t share many details about the incident, the attackers were quite vocal. According to The Register, the club was struck by RansomHub, an infamous ransomware player that emerged following the disappearance of ALPHV (BlackCat). The threat actor boasted about the attack on its data leak website, and shared a few screenshots to prove their claims.

"Bologna FC was hacked due to lack of security on their network. All confidential data has been stolen," RansomHub allegedly said on its website. "Bologna FC does not have any data protection on its network which is why absolutely all their data was stolen."

According to The Register, crooks have taken passport scans, contracts, and personal data for the club’s first-team players since 2017. They took the club’s financials, medical data, commercial strategies, and business plans. Furthermore, they stole a document that looks like the contract for the club’s manager, Vincenzo Italiano. Finally, they grabbed his tax ID code, and bank account number.

While all these claims should be taken with a grain of salt, if they turn out to be true, whoever ends up buying the data can use it for business email compromise attacks, phishing, identity theft, and possibly even wire fraud.

You might also like

• Almost 500GB of data allegedly leaked in RansomHub attack on Kawasaki
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Russia issues warnings to Japan over its military posture with the US
• Pro Russian groups subject Japan to a spate of DDoS attacks
• Attacks target critical infrastructure and government bodies

Pro-Russian threat actors have launched a series of coordinated DDoS attacks against Japanese organizations following Japan’s recent moves to strengthen its military alliance with the United States.

Distributed Denial of Service (DDoS) attacks, which flood networks with traffic and disrupt operations, have become a go-to method for cybercriminals and hacktivist groups.

The attacks, which began in mid-October 2024, have targeted key sectors of Japan's economy and government, including logistics and manufacturing, as well as political entities.

Tensions between Japan and Russia escalate

The cyberattacks followed recent statements made by Russia’s Ministry of Foreign Affairs (MID), which expressed concern over Japan's growing militarization. Russia highlighted Japan's increased defense budget and its involvement in joint military exercises with the United States as causes for alarm.

Additionally, Japan's development of pre-emptive strike capabilities and participation in ballistic missile defense research have contributed to rising tensions between the two nations.

On October 11, 2024, three days before the attacks, Russia reiterated its concerns. In response, two pro-Russian hacktivist groups, NoName057 and the Russian Cyber Army Team, launched a coordinated DDoS campaign aimed at disrupting Japanese organizations and infrastructure.

The cyberattack primarily focused on Japan's logistics and manufacturing sectors, with a particular emphasis on harbours and shipbuilding. This focus on infrastructure is consistent with previous campaigns carried out by NoName057, a group known for targeting critical sectors in geopolitical conflict zones.

In addition to industrial targets, the hacktivists also attacked Japanese governmental and political organizations. Notably, the political party of Japan’s newly elected prime minister was one of the high-profile targets, potentially as an attempt by the attackers to draw attention to their actions.

According to NETSCOUT, the attacks employed multiple direct-path DDoS attack vectors, with many originating from well-known nuisance networks, cloud hosting provider infrastructure, and virtual private networks (VPNs). The attackers also utilized the DDoSia botnet to amplify their attacks, thereby employing different configurations to maximize the impact.

While these attacks were disruptive, NETSCOUT notes that they have not significantly altered the overall threat landscape in Japan.

You might also like

• Take a look at the best firewalls
• These are the best business VPNs
• Social platform for US and UK military may have exposed over a million records

• CyCognito report shows the risks posed by supply chain vulnerabilities
• Third-party products are putting businesses at risk with undetected vulnerabilities
• Web servers, cryptographic protocols, and web interfaces suffer the most

Critical vulnerabilities often go unnoticed in many digital systems, exposing businesses to significant security risks, new research has claimed.

With organizations increasingly reliant on third-party software and complex supply chains, cyber threats are no longer confined to internal assets alone, as many of the most dangerous vulnerabilities come from external sources.

The 2024 State of External Exposure Management Report from CyCognito provides an analysis of the risks organizations face today, particularly around web servers, cryptographic protocols, and PII-handling web interfaces.

Supply chain risk remains a growing concern

Third-party vendors play a crucial role in the operations of many companies, providing essential hardware and software. However, their involvement may introduce significant risks, particularly concerning misconfigurations and vulnerabilities in the entire supply chain.

Many of the most severe vulnerabilities like MOVEit Transfer flaw, Apache Log4J, and Polyfill were revealed to have links to third-party software.

Web servers are consistently among the most vulnerable assets in an organization’s IT infrastructure. CyCognito’s findings reveal web server environments account for one in three (34%) of all severe issues across surveyed assets. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server are at the center of these concerns, hosting more severe issues than 54 other environments combined.

Beyond web servers, vulnerabilities in cryptographic protocols like TLS (Transport Layer Security) and HTTPS are also driving concern. The report indicates that 15% of all severe issues on the attack surface affect platforms using TLS or HTTPS protocols. Web applications that lack proper encryption are especially at risk, ranking #2 on the OWASP Top 10 list of security risks.

CyCognito's report also hightlighted the insufficiency of Web Application Firewall (WAF) protections, especially for web interfaces handling personally identifiable information (PII).

The report shows only half of surveyed web interfaces that process PII were protected by a WAF, leaving sensitive information vulnerable to attacks. Even more concerning is the fact that 60% of the interfaces that expose PII also lack WAF protection.

Unfortunately, outdated approaches to vulnerability management often leaves assets exposed, amplifying the risks. Organizations must adopt a more proactive and comprehensive approach to managing external exposures.

You might also like

• These are the best antivirus solutions around today
• Take a look at the best endpoint protection
• It's official — FBI, CISA, and NSA reveal the most exploited vulnerabilities

• Push-to-talk app Zello warns users to change their passwords immediately
• It also told them to change the passwords for any other online service where they use the same one
• The company did not explain what happened

Push-to-talk communications app Zello has warned users to change their passwords - and although it did not state why it was asking them to do so, the wording of the message suggests that the company suffered a data breach.

“Zello Security Notice - As a precaution, we are asking that you reset your Zello app password for any account created before November 2nd, 2024,” the warning reads, reported BleepingComputer.

This would suggest that login information for all accounts created before this date were exposed with unauthorized third parties. This doesn’t necessarily have to mean that the company was hacked.

Trust, but verify

Furthermore, information about such databases could have been shared with third-party partners, or other unauthorized entities, by mistake.

In any case, Zello is urging users to lock down their accounts: “We also recommend that you change passwords for any other online service where you may have used the same password.”

When storing passwords and other sensitive data, most organizations would encrypt them in a way that makes it almost impossible to read. Given the stark warning in this announcement, we could speculate that the Zello passwords were stored in plaintext, or in other easily readable format.

Zello is a push-to-talk communication app that functions like a walkie-talkie, enabling real-time voice messaging over Wi-Fi or mobile data. It is widely used for team collaboration, emergency response, and social interactions, offering private and public channels with low latency and high audio quality. Notably, it suffered a cyberattack in 2020, when it also asked all users to reset their passwords - raising fears this could have happened again.

The app is available for Android, iOS, and desktop devices, and reportedly has roughly around 140 million users.

Companies often keep large databases with sensitive data exposed on the internet, inadvertently. However, white hat hackers and security researchers often beat criminals to the punch with these discoveries, alerting the firms before significant harm can be done.

You might also like

• Hundreds of malware-laden fake npm packages posted online to try and trick developers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now