image
U.S. military and government website subdomains have a sticky problem: They’re “quite vulnerable” to blackhat SEO tactics that result in persistent redirects to spammy Viagra ads and porn videos. An example is one that showed up on a dot.mil subdomain on the Minnesota National Guard site (you can have your own fun searching on terms such as “buy generic and brand Viagra” on dot-gov and dot-mil sites: Plenty of these ads are still out there) that asks this question: How are erections measured while a man sleeps? Two small rings are placed around the penis, one at the tip and one at the base. Edwards told Motherboard’s Vice – which first reported his findings – that the reason a lot of government websites are hosting these spammy ads is that an array of government agencies are using the same software: one that, it turns out, has a now-patched vulnerability that allowed third parties to push files to these sites without the site owners’ permission. It’s called Laserfiche, and it’s made by a government software provider that produces content management systems and sells them to the Army, the Navy, the FBI and more, according to public procurement records such as this one for the City of Fort Worth (PDF). “This vulnerability created phishing lures on .gov and .mil domains that would push visitors into malicious redirects, and potentially target these victims with other exploits,” Edwards told Motherboard in an online chat. Blackhat SEO campaigns featuring redirects have been…

Source

image
After more than 20 years of underwhelming results, security leaders have accepted their intrusion detection system (IDS) programs as no more than a compliance checkoff. It’s no secret that IDS’s reliance on bi-modal signatures is brittle, easily evaded and often referred to as an “alert cannon.” Time has not been kind to IDS and has created wide security gaps. With low IT budgets and the rise of the cybersecurity jobs crisis, organizations are in need of a centralized way to optimize workflow by integrating detection, investigation and response into a single tool. And that’s not to mention the lack of coverage traditional IDS solutions provide. According to the Verizon 2020 Data Breach and Incident Response (DBIR) report, out of 3,000 investigated breaches, 97.5 percent were caused by attacks that IDS wasn’t designed to detect. To combat the outdated nature of IDS, organizations should adopt next-generation IDS (NG-IDS) to fulfill the defense-in-depth promise unmet by legacy IDS. NG-IDS is effective against more types of attacks and fills glaring decryption and cloud compliance gaps while improving security. IDS Erosion Over Time IDS boomed in the ’90s as security frameworks like the SANS 20 Critical Security Controls and mandates like PCI DSS called out IDS by name. But even after a quarter of a century of IDS innovation and adoption across many enterprises, the same challenges persist. NIST 800-94, written in 2007, calls out the top challenges of that time, including…

Source

image
The ringleader of a seven-year phone-unlocking and malware scheme will head to the clink for 12 years, according to the Department of Justice, after effectively compromising AT&T’s internal networks to install credential-thieving malware. The perp, one Muhammad Fahd of Pakistan and Grenada, was convicted of grooming AT&T employees at a Bothell, Wash. call center to take part in the scam. He and his now-deceased co-conspirator bribed employees to first use their AT&T credentials to sever phones from the AT&T network for customers who were still under contract — meaning those customers could take their newly independent phones to another service. And then later, Fahd asked his accomplices in the call center to install custom malware and “hacking tools that allowed him to unlock phones remotely from Pakistan,” according to court documents. In all, the 35-year-old Fahd effectively defrauded AT&T out of more than $200 million in lost subscription fees after divorcing nearly 2 million mobile phones from the carrier, the DoJ explained. “Unlocking a phone effectively removes it from AT&T’s network, thereby allowing the account holder to avoid having to pay AT&T for service or to make any payments for purchase of the phone,” it said. Recruiting Insider Threats It all started in the summer of 2012, when Fahd targeted an AT&T employee through Facebook using the alias “Frank Zhang,” He offered the employee “significant sums of money” in return for taking part in his scheme, and asked…

Source

image
Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by Microsoft this week. Collaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as CVE-2021-40444. The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two released separate reports online this week to provide a look into who has been using the flaw–which can be used to hide a malicious ActiveX control in an Office document–in attacks, as well as their potential connections to known criminal groups. Specifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns–including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported. RiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking Wizard Spider crime syndicate, known to maintain and distribute Ryuk ransomware. “Based on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using…

Source

image
A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel's conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services. The user interface for Downthem[.]org. Prosecutors for the Central District of California charged Gatrel, 32, and his business partner Juan "Severon" Martinez of Pasadena, Calif. with operating two DDoS-for-hire or "booter" services — downthem[.]org and ampnode[.]com. Despite admitting to FBI agents that he ran these booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Facing the prospect of a hefty sentence if found guilty at trial, Martinez pleaded guilty on Aug. 26 to one count of unauthorized impairment of a protected computer. Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. Investigators say Downthem helped some 2,000 customers launch debilitating digital assaults at more than 200,000 targets, including many government, banking,…

Source

image
The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who’ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month. At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users’ Active Directory (AD) and cloud accounts. The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users and attackers alike. Last Tuesday, Zoho issued a patch – Zoho ManageEngine ADSelfService Plus build 6114 – for the flaw, which is tracked as CVE-2021-40539 and which has a 9.8 severity rating. As the Cybersecurity and Infrastructure Security Agency (CISA) warned at the time, it was being actively exploited in the wild as a zero-day. According to today’s joint advisory from the three government…

Source

image
A two-year-old espionage campaign against the airline industry is ongoing, with AsyncRAT and other commodity remote-access trojans (RATs) helping those efforts take flight. The campaign can effectively be a bird strike to the business engine, so to speak, resulting in data theft, financial fraud or follow-on attacks, researchers said, who have uncovered new details about the perpetrators. According to Tiago Pereira and Vitor Ventura at Cisco Talos, “Operation Layover” is likely the work of an unsophisticated threat actor based in Nigeria, which has been active on the cybercrime scene for at least six years in various campaigns against multiple sectors. “[The attacker] doesn’t seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware,” the researchers noted in a Thursday posting. “The actor also buys the crypters that allow the usage of such malware without being detected, [and] throughout the years it has used several different cryptors, mostly bought on online forums… This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.” Driven by an Initial Access Broker Boom The goal has been to pilfer credentials and cookies, which the attacker can offer to more technically savvy cybercriminals, researchers said. These big-game hunters use them for initial access in much larger attacks involving ransomware or business email compromise…

Source

image
This is Part II of a two-part series on how cybercrooks embrace and use cryptocurrency. To read Part I, please click here. While Bitcoin transactions are anonymous, it’s possible to follow the money through public ledgers to see what those transactions actually are and how they flow. This allows us to glean more about the Colonial Pipeline attack that occurred this summer, and the process also led us to uncover a wallet-hijacking malware that was making the rounds earlier this year. A Look at Crypto’s Role in the Colonial Pipeline Attack Famously, Colonial Pipeline was compromised with a ransomware attack earlier this year. And ultimately, it paid $4.4 million in Bitcoin to recover their systems and data. As this was a very large-scale attack, the federal government stepped in. And in early June, millions of dollars that were paid to the hackers were recovered and returned to Colonial Pipeline. On its own, this is a massive achievement and a great stride in our fight for cybersecurity — but it offers an interesting story to walk through the to-and-from process of cryptocurrency transactions. The FBI released a public but redacted affidavit surrounding the incident: Source: FBI. As you can see, the cryptocurrency wallets in question were partially redacted — but as we know, these follow a recognizable pattern and can be uncovered in the public ledger. Security researchers were able to uncover the full wallet address and follow the breadcrumbs to see where the money went —…

Source

image
REvil victims, your prayers have been answered: There’s a universal decryptor key waiting to free you. Bitdefender is releasing a free, universal decryptor key to unlock data of victimized organizations that were encrypted by REvil/Sodinokibi ransomware attacks before the gang’s servers went belly-up on July 13. The firm announced that it’s giving away the universal key on Thursday morning, mere days after REvil reared its slimy head again (though the underground considers it to probably be some mediocre, lower-tier REvil lackeys milking the name so as to pull an exit scam). This is the real deal, Bitdefender said, not the letdown of last month, when REvil victim Kaseya got its hands on a master key. At that time, it was first thought that the key could unlock all of the REvil attacks that occurred at the same time as the Kaseya one. Unfortunately, it soon became clear to researchers that the decryptor was only for the files locked in the Kaseya attack. Bitdefender, a Romania-based cybersecurity firm, didn’t share details on how it developed the key, beyond saying that it was created “in collaboration with a trusted law enforcement partner” and that it will help those entities that were attacked before parts of REvil’s infrastructure blinked off on July 13. “​Please note this is an ongoing investigation and we can’t comment on details related to this case until authorized by the lead investigating law enforcement partner,” Bitdefender said in a press release. “Both parties…

Source

image
Distributed denial-of-service (DDoS) started out as an inconvenience: They were a roadblock that kept customers from getting at systems. That’s bad enough. Keeping availability away from customers via DDoS can have a painful impact on businesses as they find their doors blocked to customers, keeping them from making transactions. But over the years, DDoS attacks have evolved regarding level of sophistication, metrics and the techniques that threat actors employ. According to Peter Klimek, director of technology in the office of the CTO at Imperva, DDoS attacks have blossomed into what he calls a huge business for cybercriminals. “Looking at it from a business perspective, that’s really the big impact and are why businesses should start considering DDoSes as “a consistent and persistent threat.” “As a whole, there’s really a low barrier to entry in order to actually perform the [DDoS] attack itself,” he said. “And there’s a high capacity for damage or a high potential for it leading to damage.” Take the services known as booters, aka stressors: “They can be had and used for as little as the price of a cup of coffee,” Klimek observed, and “Even a small scale DDoS attack can cause disruption.” Because of the low technical acumen that’s required to launch lower-scale attacks, a poorly defended network can be taken down “for as little as a hundred dollars.” Klimek visited the Threatpost podcast recently to discuss the evolution of DDoSes and other trends that he and his team…

Source