Threat Actor Claims Responsibility For IBM and Stanford University Hack

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

CloudSEK used its artificial intelligence (AI)-powered digital risk platform XVigil to identify a post on a cybercrime forum mentioning open source automation server platform Jenkins as one of the TTP (tactics, techniques, and procedures) used by a threat actor (TA) in attacks against IBM and Stanford University.

The module reportedly has hidden desktop takeover capabilities that would be used by the TA to get clicks on ads. 

The post on the English-speaking forum was spotted by CloudSEK on May 07 2022 and contained a sample screenshot as proof of their claimed access to a Jenkins dashboard.

From a technical standpoint, the TA encountered a Jenkins dashboard bypass that contained internal hosts and scripts, together with database credentials and logins.

The hacker would have used search engines like Shodan to target port 9443 of the compromised company’s public asset and then used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.

According to additional posts by the same user on the cybercrime forum, the actor said they previously also targeted IBM Tech Company, particularly internal administrators’ scripts and firewall configurations for internal networks.

Describing the attacks, CloudSEK said that TTP used by the threat actor could be utilized by others to conduct similar exploits.

“Modules like these can enable persistence and sophisticated ransomware attacks. Threat actors might move laterally, infecting the network, to maintain persistence and steal credentials,” the security experts wrote.

“Since password reuse is a common practice, actors could [also] leverage exposed credentials to access other accounts of the user.”

For context, the TA also claimed responsibility for hacking Jozef Safarik University in Slovakia and Stanford University.

Reports from XVigil suggested government access to the domains was discovered from multiple countries, including Ukraine, United Arab Emirates, Pakistan and Nepal.

Based on underground discussions, CloudSEK researchers said they expect this malicious campaign to ramp up bot infection attempts.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

The many faces of impersonation fraud: Spot an imposter before it’s too late
Fraudsters Exploit Telegram’s Popularity For Toncoin Scam
The ABCs of how online ads can impact children’s well-being
Akira Ransomware Group Rakes in $42m, 250 Organizations Impacted
Russian APT Deploys New ‘Kapeka’ Backdoor in Eastern European Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *