Security News

After accelerating its efforts to auto-enroll as many accounts as possible in two-factor authentication, Google announced that an additional 150 million users now have 2FA enabled. Google first announced that it strives to push all its users to start using 2FA in May 2021, as part of a broader move to secure as many accounts as possible from attacks that use compromised credentials or guess passwords to hijack accounts.

A new and powerful malware named 'Mars Stealer' has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020. Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.

The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and swoops down on financial data. Once downloaded, the app installs Vultur banking trojan, which steals financial and banking data on the compromised device - but can do much more.

Details of how the crooks pulled off the attack aren't given in the report, which says simply that "Transactions were being approved without the 2FA authentication control being inputted by the user." What the report doesn't explain, or even mention, is whether 2FA codes were entered by someone - albeit not by customers themselves - in order to authorise the fraudulent withdrawals, or whether the 2FA part of the authentication process was somehow bypassed entirely.

In spite of customers having reported losses over the weekend, Crypto.com's Thursday statement said that the heist happened on Monday at about 12:46 a.m. UTC. That's when the exchange's risk monitoring systems picked up on unauthorized transactions coming out of 483 accounts and being approved without users' 2FA authentication. The exchange fully restored the affected accounts, revoked all 2FA tokens and added additional security hardening measures, requiring all customers to re-login and set up their 2FA token.

Clearly, the stakes are high - gaining access to a Box account could give cyberattackers access to a vast array of sensitive documents and data for both individuals and organizations. When a user goes to log on with his or her credentials, Box generates the cookies and the user is asked to navigate to an SMS verification page, where the person is instructed to enter a one-time passcode sent to an enrolled mobile phone.

A new phishing campaign that targets CoinSpot cryptocurrency exchange users employs a new theme revolving around withdrawal confirmations with the end goal of stealing two-factor authentication codes. More specifically, the threat actors send emails from a Yahoo address, replicating real emails from CoinSpot that ask the recipients to confirm or cancel a withdrawal transaction.

VK is finally introducing two-factor authentication on all its services and plans to make it mandatory in February 2022 for administrators of large communities. Starting in February, all communities that count over 10,000 subscribers must be managed by a 2FA secured admin account to prevent large-scale phishing incidents.

VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product. CVE-2021-22057 is the rascal behind this issue and is rated 6.6/10. VMware Verify is part of the wider VMware Workspace ONE Access product, now available in version 21.08.0.1 to fix this bug and a 5.5-rated Server Side Request Forgery that can allow a malicious actor with network access to make HTTP requests to arbitrary origins and read the full response.

GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. "In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.