CyberSecurity news
FlagThis - #credentials
|
@www.trustwave.com
//
Trustwave researchers have uncovered a large-scale phishing campaign where the Dadsec hacker group is exploiting the Tycoon2FA infrastructure to steal Office365 credentials. The Dadsec group, also known as Storm-1575, operates a Phishing-as-a-Service (PhaaS) platform and has been leveraging Tycoon2FA to target Microsoft 365 users since at least September 2023. This campaign demonstrates an evolution in phishing tactics, blending advanced evasion techniques with shared infrastructure, indicating a coordinated PhaaS ecosystem.
Recent investigations reveal a technical and operational overlap between Dadsec and Tycoon2FA, suggesting a convergence of methods. These campaigns typically lure victims with fake shared documents or urgent notifications that redirect them to carefully crafted phishing sites mimicking Microsoft's Office365 login page. The attacks employ advanced adversary-in-the-middle (AiTM) techniques, enabling attackers to intercept authentication flows, capture credentials, and bypass multi-factor authentication (MFA) protections by stealing session cookies. Detailed analysis reveals that domains used in both Dadsec and Tycoon2FA campaigns consistently employ infrastructure traceable to shared Autonomous System Numbers, notably AS19871. These domains, often featuring randomized alphanumeric strings and common top-level domains such as .RU, host custom PHP scripts like "res444.php," "cllascio.php," and ".000.php" integral to payload delivery. The Tycoon2FA kit is believed to be a direct evolution or clone of Dadsec, demonstrating a high degree of technical sophistication, using layered obfuscation and Cloudflare Turnstile integration.
Share:
References :
Classification:
Waqas@hackread.com
//
A massive database containing over 184 million unique login credentials has been discovered online by cybersecurity researcher Jeremiah Fowler. The unprotected database, which amounted to approximately 47.42 gigabytes of data, was found on a misconfigured cloud server and lacked both password protection and encryption. Fowler, from Security Discovery, identified the exposed Elastic database in early May and promptly notified the hosting provider, leading to the database being removed from public access.
The exposed credentials included usernames and passwords for a vast array of online services, including major tech platforms like Apple, Microsoft, Facebook, Google, Instagram, Snapchat, Roblox, Spotify, WordPress, and Yahoo, as well as various email providers. More alarmingly, the data also contained access information for bank accounts, health platforms, and government portals from numerous countries, posing a significant risk to individuals and organizations. The authenticity of the data was confirmed by Fowler, who contacted several individuals whose email addresses were listed in the database, and they verified that the passwords were valid. The origin and purpose of the database remain unclear, with no identifying information about its owner or collector. The sheer scope and diversity of the login details suggest that the data may have been compiled by cybercriminals using infostealer malware. Jeremiah Fowler described the find as "one of the most dangerous discoveries" he has found in a very long time. The database's IP address pointed to two domain names, one of which was unregistered, further obscuring the identity of the data's owner and intended use.
Share:
References :
Classification:
@arstechnica.com
//
Microsoft is facing scrutiny over a design choice in its Remote Desktop Protocol (RDP) that allows users to log in with old, expired passwords. Security researcher Daniel Wade discovered that Windows RDP accepts previously used passwords, even after they have been changed or revoked. This means that if an attacker or unauthorized user once had access to a system and the password was cached, that old password remains valid for RDP login indefinitely, creating a potential "silent, remote backdoor." Microsoft has acknowledged this behavior, stating it's an intentional design decision to ensure at least one account can always log in, even if the system has been offline for an extended period.
Security experts are raising concerns about the security implications of this feature. David Shipley, head of Beauceron Security, suggests CISOs should reconsider using RDP, calling it a "really risky move." The vulnerability bypasses cloud verification, multifactor authentication (MFA), and Conditional Access policies, leaving systems vulnerable even if protective measures are in place. Analyst Will Dormann emphasizes that administrators expect revoked credentials to be unusable across the board, but this is not the case with RDP. The discovery comes as Microsoft is actively pushing for a passwordless future. The company has already started defaulting new accounts to passwordless methods using passkeys, aiming to improve security and reduce phishing risks. Existing users can also switch to passwordless options in their account settings. However, the RDP flaw presents a contradictory security risk, as it undermines the trust users place in password changes and creates an avenue for unauthorized access via outdated credentials. Microsoft has stated it currently has no plans to change this behavior in RDP.
Share:
References :
Classification: |