Check out the Security details for more info
Mimecast said on Tuesday that “a sophisticated threat actor” had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange.
The discovery was made after the breach was notified by Microsoft, the London-based company said in an alert posted on its website, adding it’s reached out to the impacted organizations to remediate the issue.
The company didn’t elaborate on what type of certificate was compromised, but Mimecast offers seven different digital certificates based on the geographical location that must be uploaded to M365 to create a server Connection in Mimecast.
“Approximately 10 percent of our customers use this connection,” the company said. “Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted.”
Mimecast is a cloud-based email management service for Microsoft Exchange and Microsoft Office 365, offers users email security and continuity platform to safeguard them from spam, malware, phishing, and targeted attacks.
A consequence of such a breach could result in a man-in-the-middle (MitM) attack, where an adversary could potentially take over the connection and intercept email traffic, and even steal sensitive information.
As a precaution to prevent future abuse, the company said it’s asked its customers to delete the existing connection within their M365 tenant with immediate effect and re-establish a new certificate-based connection using the new certificate that it has made available.
“Taking this action does not impact inbound or outbound mail flow or associated security scanning,” Mimecast stated in its advisory.
An investigation into the incident is ongoing, with the company noting that it will work closely with Microsoft and law enforcement as appropriate.
The development comes as Reuters, citing sources, said the hackers who compromised Mimecast were the same group that breached U.S. software maker SolarWinds and a host of sensitive U.S. government agencies.
“Our investigation is ongoing and we don’t have anything additional to share at this time,” a spokesperson for the company told The Hacker News.
Europol on Tuesday said it shut down DarkMarket, the world’s largest online marketplace for illicit goods, as part of an international operation involving Germany, Australia, Denmark, Moldova, Ukraine, the U.K.’s National Crime Agency (NCA), and the U.S. Federal Bureau of Investigation (FBI).
At the time of closure, DarkMarket is believed to have had 500,000 users and more than 2,400 vendors, with over 320,000 transactions resulting in the transfer of more than 4,650 bitcoin and 12,800 monero — a sum total of €140 million ($170 million).
The illegal internet market specialized in the sales of drugs, counterfeit money, stolen or forged credit card information, anonymous SIM cards, and off-the-shelf malware.
In addition, the months-long intelligence operation also resulted in the arrest of a 34-year-old Australian national near the German-Danish border over the weekend, who is alleged to be the mastermind behind DarkMarket.
According to The Guardian, DarkMarket came to light in the course of a major investigation against the web hosting service CyberBunker, which served as the web host for The Pirate Bay and WikiLeaks in the past.
The takedown of DarkMarket also saw law enforcement seizing the criminal infrastructure, including more than 20 servers in Moldova and Ukraine, that was used to conduct the operations.
“The stored data will give investigators new leads to further investigate moderators, sellers, and buyers,” Europol said.
DarkMarket may have been turned off, but underground marketplaces such as Joker’s Stash continue to be a hotbed for trading malicious software, with the pandemic contributing to a spike in goods or services for carrying out social engineering scams.
Previously, Dream Market, another top dark web marketplace, ended operations in April 2019, and a Europol-led police operation also shut down Wall Street Market and Silkkitie (also known as the Valhalla Marketplace) a month later in May 2019.
The Wall Street Market had 1.15 million users and 5,400 sellers of drugs, malware, and other criminal goods.
These changes have led cybercriminals to find alternative ways to build trust and sell their wares, including leveraging encrypted email services like Sonar and Elude, private channels on Discord to facilitate transactions, and a website called “DarkNet Trust” that aims to verify vendors’ reputations by searching through usernames.
“These marketplaces shift and evolve like legitimate spaces, adapting to buyer needs, supply issues, and new technology,” Trend Micro researchers said in a report published last year detailing the volatile nature of underground markets. “Available commodities and prices respond quickly to issues in the public sphere.”
Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage.
Designed to masquerade apps such as the Pakistan Citizen Portal, a Muslim prayer-clock app called Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance, the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file.
“The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages,” Sophos threat researchers Pankaj Kohli and Andrew Brandt said.
“The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.”
Interestingly, the fake website of the Pakistan Citizen Portal was also prominently displayed in the form of a static image on the Trading Corporation of Pakistan (TCP) website, potentially in an attempt to lure unsuspecting users into downloading the malware-laced app.
Visiting the TCP website (tcp.gov.pk) now shows the message “Down for Maintenance.”
Besides the aforementioned apps, Sophos researchers also discovered a separate app called Pakistan Chat that didn’t have a benign analogue distributed via the Google Play Store. But the app was found to leverage the API of a legitimate chat service called ChatGum.
Once installed, the app requests intrusive permissions, including the ability to access contacts, file system, location, microphone, and read SMS messages, which allow it to gather a wide swathe of data on a victim’s device.
All these apps have one singular purpose — to conduct covert surveillance and exfiltrate the data from a target device. In addition to sending the unique IMEI identifier, the DEX payload relays detailed profile information about the phone, location information, contact lists, the contents of text messages, call logs and the full directory listing of any internal or SD card storage on the device.
Troublingly, the malicious Pakistan Citizen Portal app also transmits sensitive information such as users’ computerized national identity card (CNIC) numbers, their passport details, and the username and password for Facebook and other accounts.
“The spying and covert surveillance capability of these modified Android apps highlight the dangers of spyware to smartphone users everywhere,” Pankaj Kohli said. “Cyber-adversaries target mobiles not just to get their hands on sensitive and personal information, but because they offer a real-time window into people’s lives, their physical location, movements, and even live conversations taking place within listening range of the infected phone.”
If anything, the development is yet another reason why users need to stick to trusted sources to download third-party apps, verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.
“In the current Android ecosystem, apps are cryptographically signed as a way to certify the code originates with a legitimate source, tying the app to its developer,” the researchers concluded. “However, Android doesn’t do a good job exposing to the end user when a signed app’s certificate isn’t legitimate or doesn’t validate. As such, users have no easy way of knowing if an app was indeed published by its genuine developer.”
“This allows threat actors to develop and publish fake versions of popular apps. The existence of a large number of app stores, and the freedom of users to install an app from practically anywhere makes it even harder to combat such threats.”