image
Secure email gateway (SEG) protections aren’t necessarily enough to stop phishing emails from delivering ransomware to employees, especially if the cybercrooks are using legitimate cloud services to host malicious pages. Researchers are raising the alarm over a phishing email kicking off a Halloween-themed MICROP ransomware offensive, which they observed making its way to a target’s inbox despite its being secured by an SEG. Infection Routine The original email purported to need support for a “DWG following Supplies List,” which is supposedly hyperlinked to a Google Drive URL. The URL is actually an infection link, which downloaded an .MHT file. “.MHT file extensions are commonly used by web browsers as a webpage archive,” Cofense researchers explained. “After opening the file the target is presented with a blurred out and apparently stamped form, but the threat actor is using the .MHT file to reach out to the malware payload.” That payload comes in the form of a downloaded .RAR file, which in turn contains an .EXE file. “The executable is a DotNETLoader that uses VBS scripts to drop and run the MIRCOP ransomware in memory,” according to the analysis. The campaign is not particularly sophisticated, but the use of Google Drive allowed it to get past SEGs. “Its opening lure is business-themed, making use of a service – such as Google Drive – that enterprises employ for delivering files,” the researchers explained. “The rapid deployment from the MHT payload to final encryption…

Source

image
Even with the most sophisticated email scanning and phishing detection system available, phishing emails are still a very common intrusion vector for cybercriminals to use to introduce malware, including ransomware, to a business’ network. That’s because 1) increasingly, legitimate systems are used; and 2) phishing emails can also be effective even when employees are highly educated and are good at spotting and reporting them. Fortunately, there are tactics to protect your network even when the emails can’t be stopped outright. Increasingly Effective Phishing When legitimate email systems are compromised and begin sending out malicious emails from a valid source, the efficacy of phishing is magnified. This was what happened over the weekend when one of the FBI’s email systems was hacked to send out fake cybersecurity alerts to thousands of people. While the email that was sent out didn’t appear to contain any phishing links, it does show that such email compromises can introduce significant security challenges for IT professionals. Most people who received the email would be unlikely to question its legitimacy—even if they looked at the email headers—because the email came from where it said it came from (in the above case, from the FBI). This type of compromise is extremely dangerous; it renders email authentication mechanisms like DMARC, SPF and DKIM useless since the email originates from an authorized source; so that means that anti-spam and anti-phishing software is…

Source

image
A threat actor has been exploiting a zero-day vulnerability in FatPipe’s virtual private network (VPN) devices as a way to breach companies and gain access to their internal networks, since at least May, the FBI has warned. “As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the bureau said in a flash alert (PDF) on Tuesday. The bug — patched this week — is found in the device software for FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing and reliability device for VPNs. The products are all types of servers that are installed at network perimeters and used to give employees remote access to internal apps via the internet, serving as part network gateways, part firewalls. According to the alert, the flaw allowed advanced persistent threat (APT) actors to exploit a file upload function in the device’s firmware to install a webshell with root access, which led to elevated privileges. Exploiting the vulnerability, which doesn’t yet have a CVE tracking number, gave the APT actors the ability to spread laterally into victims’ networks. FatPipe is tracking the vulnerability with its own tag, FPSA006, which contains both the patch and a security advisory that it put out on Tuesday. The vulnerability affects all FatPipe WARP, MPVPN and IPVPN device software prior to the latest version releases: 10.1.2r60p93 and…

Source

image
A long-term spear-phishing campaign is targeting employees of major corporations with emails containing PDFs that link to short-lived Glitch apps hosting credential-harvesting SharePoint phishing pages, researchers have found. Researchers from DomainTools discovered the suspicious PDFs – which themselves do not include malicious content – back in July, wrote Senior Security Researcher Chad Anderson, in a report published Thursday. Instead, the malicious activity propagated by the PDFs is a link to Glitch apps hosting phishing pages that included obfuscated JavaScript for stealing credentials, he wrote. Glitch is a Web-based project-management tool with a built-in code editor for running and hosting software projects ranging from simple websites to large applications. The campaign appears to be targeting only employees working in the Middle East as “a single campaign” in a series of similar, SharePoint-themed phishing scams, Anderson wrote. Abusing Glitch To understand how the campaign works, one needs to understand how the free version of Glitch works, Anderson explained. The platform allows an app to operate for five minutes exposed to the internet with a Glitch-provided hostname using three random words, he wrote. “For example, one document directed the recipient to hammerhead-resilient-birch.glitch[.]me where the malicious content was stored,” Anderson explained in the post. “Once the five minutes is up, the account behind the page has to click to serve their page…

Source

image
Pankaj Gupta, Senior Director at Citrix Distributed denial of service (DDoS) attacks have become increasingly sophisticated, bigger, and economically motivated. Even after 25 years, they still pose a huge security risk for every business. This is in large part because DDoS attacks are relatively easy and cheap to launch. A case in point: Bad actors launched the largest DDoS attack of all time in September 2021, demonstrating the continued viability of DDoS attacks for unscrupulous parties who have something to gain from them. DDoS attacks are at the forefront of the war on digital businesses, and no company or industry is safe. DDoS attacks aim to overload (or exhaust) a business’s digital resources and prevent them from performing normally. At worst, the massive influx of traffic will cause web servers to crash. DDoS attacks can also be a smokescreen for data breaches, attempting to draw IT’s attention to the DDoS attacks rather than the data breach. Ransom DDoS attacks — where bad actors demand payment to prevent or cease a DDoS attack — are also on the rise. So how can DDoS attacks be mitigated? They key is to block as much bad traffic as possible while keeping the application or service running optimally. And there are four key considerations each business must assess to select the right DDoS protection solution. 1. Comprehensive Protection Against DDoS Attacks DDoS attacks come in many forms, but the primary types are connection-protocol attacks, volumetric attacks and…

Source

image
The CEO of a South Carolina technology firm has pleaded guilty to 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 735,000 Internet Protocol (IP) addresses from the nonprofit organization that leases the digital real estate to entities in North America. In 2018, the American Registry for Internet Numbers (ARIN), which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean, notified Charleston, S.C. based Micfo LLC that it intended to revoke 735,000 addresses. ARIN said they wanted the addresses back because the company and its owner — 38-year-old Amir Golestan — had obtained them under false pretenses. A global shortage of IPv4 addresses has massively driven up the price of these resources over the years: At the time of this dispute, a single IP address could fetch between $15 and $25 on the open market. Micfo responded by suing ARIN to try to stop the IP address seizure. Ultimately, ARIN and Micfo settled the dispute in arbitration, with Micfo returning most of the addresses that it hadn't already sold. But the legal tussle caught the attention of South Carolina U.S. Attorney Sherri Lydon, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he'd orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer. Each of those shell companies involved the production of notarized…

Source

image
Fake red-on-black warnings have been plastered to hundreds of WordPress sites, warning that they’ve been encrypted. The warnings have at least one ransomware accoutrement that might look convincing at first blush: a countdown clock tick-tick-ticking away, warning site owners that they’ve got seven days, 10 hours, 21 minutes and 9 seconds to fork over 0.1 Bitcoin – about USD $6,000 at the time this story was posted – before the files are encrypted and go up in an irretrievable puff of e-smoke. That’s a good chunk of change to any small-time user of the open-source content management system (CMS): “Not a negligible sum of money for an average website owner, to say the least!” Sucuri security analyst Ben Martin wrote in a Tuesday post. It’s most particularly steep given that it’s all smoke and mirrors. Sucuri first noticed the fake vampire-movie-colored red-on-black warnings on Friday. It started out slow, and then it started to grow: Running a Google Search last week turned up only six results for the ransom demand – “FOR RESTORE SEND 0.1 BITCOIN”. That was up to 291 hits when the website security service provider reported its findings on Tuesday. The screechy, bleedy, full-caps message: SITE ENCRYPTED FOR RESTORE SEND 0.1 BITCOIN: [address redacted] (create file on site /unlock.txt with transaction key inside) The alarming message in throat-clenching blood red. Source: Sucuri. Fortunately, before letting their precious Bitcoin fly out the window, at least one website…

Source

image
The past year’s massive migration of movie and television audiences to streaming services has provided scammers with a sweet opportunity to launch phishing attempts to lure would-be subscribers into giving up their payment information. Where there’s payment data, cybercriminals are sure to follow, Kaspersky’s Leonid Grustniy pointed out in his latest report, warning about phishing campaigns disguised to look like Netflix, Amazon Prime and other streaming service offers. “Streaming services offer a variety of payment plans, but generally they all involve paying with a credit card,” Grustniy explained. “And where there are card details, there is phishing.” Scam Subscriber Targeting Kaspersky’s researchers observed various lures aimed at targets, depending on their current streaming subscription status. Fake sign-up pages for services like Netflix were used to pry email addresses and credit-card information from victims. “Armed with your info, they can withdraw or spend your money right away; your email address should come in handy for future attacks,” Grustniy wrote. Current Netflix subs were sent a phishing email requesting they update their billing information. “We’re having some trouble with your current billing information,” the email read. “We’ll try again, but in the meantime, you may want to update your payment details.” A link to “Update Your Account Now” followed, along with the signoff, “Your friends at Netflix.” The link leads to a malicious payment confirmation…

Source

image
A state-backed Iranian threat actor has been using multiple CVEs – including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks – looking to gain a foothold within networks before moving laterally and launching BitLocker ransomware and other nastiness. A joint advisory published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom’s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT). The Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that’s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion. The APT has used the same Microsoft Exchange vulnerability in Australia. CISA Warning Follows Microsoft Report on Six Iranian Threat Groups CISA’s warning came on the heels of an analysis of the evolution of Iranian threat actors released by Microsoft’s Threat Intelligence Center (MSTIC) on Tuesday. MSTIC researchers called out three trends they’ve seen emerge since they started…

Source

image
A recently discovered phishing scam tried to takeover more than 125 high-profile user accounts on TikTok. Researchers said the campaign marks one of the first major attacks on “influencers” found on the TikTok social-media platform. Researchers at cloud email security provider Abnormal Security detected the scams that attempted to take over people’s accounts by sending emails impersonating TikTok and asking users to verify their log-in information. The campaign, tracked on Oct. 2 and Nov. 1, was sent to individuals worldwide. Each target had large-volume TikTok accounts “of all kinds and across disparate locales,” according to a Tuesday report authored by Abnormal Security. “Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types,” Rachelle Chouinard, a threat intelligence analyst at Abnormal Security, wrote in the report. Impersonation Game The emails tried to dupe users into sending their log-in information to the threat actors in one of two ways, each of which required further action from the target. In both cases attackers pretended to be contacting users from TikTok, which is owned by Chinese company ByteDance. One of the emails sent in the campaign informed the user that his or her account violated TikTok’s copyright and asked the user to reply to the email to verify the account, threatening to remove the account in…

Source