• Explore
  • Blog
  • Podcast
  • EIS Archive
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • EIS Archive
  • About
  • Services
  • Contact

Image created with ChatGPT

Phishing Threat Intelligence From August 2024

September 9, 2024

These are news articles from August 2024. Feel free to take and share with your internal cybersecurity team. A mention of explores.com would be great!

Dismantling Smart App Control 

Elastic Security Labs recently uncovered multiple vulnerabilities in Windows Smart App Control (SAC) and SmartScreen. These weaknesses allow attackers to bypass security measures using techniques such as signed malware, reputation hijacking, and LNK stomping. These methods enable initial access without triggering security warnings, posing significant risks. Security teams should focus on detecting these evasive tactics and not rely solely on OS-native features. 

Key Insights: 

  • Signed Malware: Attackers use valid certificates to bypass SAC. 

  • Reputation Hijacking: Leveraging trusted apps to execute malicious code. 

  • LNK Stomping: Crafting LNK files to evade MotW checks. 

For more details, visit the Elastic Security Labs article. 

 

 

Securing Domain Names from Takeover 

Recent research highlights vulnerabilities in domain name management that leave over a million domains susceptible to hijacking. This issue arises from weak authentication practices at several web hosting providers and domain registrars. Cybercriminals exploit these weaknesses to take control of domains, using them for phishing, spam, and malware distribution. To mitigate risks, it is crucial to ensure proper DNS configuration and use DNS providers with strong verification processes. 

Key Insights: 

  • Vulnerability: Over a million domains at risk. 

  • Exploitation: Hijacked domains used for malicious activities. 

  • Recommendation: Strengthen DNS configuration and provider verification. 

For more details, visit the Krebs on Security article. 

 

 

Exploitation of Google Drawings and WhatsApp 

A newly identified phishing campaign exploits Google Drawings and WhatsApp's URL shortener to create convincing redirects to malicious sites. This method allows attackers to bypass security filters and deceive users into thinking they are visiting legitimate sites like Amazon. These tactics highlight the increasing sophistication of phishing threats, emphasizing the need for heightened vigilance and advanced security measures. 

Key Insights: 

  • Exploited Tools: Google Drawings and WhatsApp's URL shortener. 

  • Attack Strategy: Redirects users to malicious sites mimicking trusted brands. 

  • Recommendation: Implement advanced phishing detection and maintain user vigilance. 

For more details, visit the Menlo Security article. 

 

 

Concerns Over Cloudflare’s Anti-Abuse Posture 

Spamhaus has raised concerns about Cloudflare's anti-abuse policies, highlighting that cybercriminals are exploiting Cloudflare’s services to mask malicious activities. Despite numerous abuse reports, Cloudflare's current approach often shields the true location of harmful content, complicating efforts to combat cybercrime. This situation underscores the need for stronger abuse management practices to prevent cybercriminals from leveraging trusted services to conduct illegal activities. 

Key Insights: 

  • Exploitation: Cybercriminals are using Cloudflare to hide malicious activities. 

  • Response: Current anti-abuse measures are inadequate in addressing the issue. 

  • Recommendation: Enhanced abuse management and accountability are needed. 

For more details, visit the Spamhaus article. 

 

 

Royal Ransomware Rebrands as BlackSuit 

The ransomware group formerly known as Royal has rebranded as BlackSuit, increasing their ransom demands to over $500 million. This shift indicates a more aggressive approach, with the group targeting larger organizations across various sectors. BlackSuit continues to use sophisticated tactics, including double extortion, where they threaten to release stolen data if their demands are not met. Organizations should strengthen their defenses and ensure incident response plans are up-to-date. 

Key Insights: 

  • Rebranding: Royal ransomware is now BlackSuit. 

  • Increased Ransom: Demands exceed $500 million. 

  • Tactics: Double extortion remains a primary threat. 

  • Recommendation: Strengthen defenses and update incident response plans. 

For more details, visit the KnowBe4 article. 

 

 

New Phishing Scam Using Cross-Site Scripting 

A recent phishing scam uncovered by KnowBe4 employs cross-site scripting (XSS) attacks to harvest personal details from unsuspecting victims. Attackers use this method to inject malicious scripts into legitimate websites, tricking users into entering sensitive information like login credentials. This technique bypasses traditional security measures, making it a particularly dangerous threat. Users should be cautious when clicking on links in emails and ensure that websites they interact with are secure. 

Key Insights: 

  • Attack Method: Cross-site scripting (XSS) used to steal personal details. 

  • Target: Login credentials and sensitive information. 

  • Recommendation: Verify website security before entering personal information. 

For more details, visit the KnowBe4 article. 

 

 

Surge in File-Sharing Phishing Attacks 

KnowBe4 reports a staggering 350% increase in file-sharing phishing attacks over the past year. These attacks often disguise themselves as notifications from popular file-sharing services, tricking users into revealing sensitive information or downloading malware. The rapid rise in these attacks highlights the need for enhanced email security and ongoing employee training. 

Key Insights: 

  • 350% Increase: Significant rise in file-sharing phishing attacks. 

  • Attack Method: Disguised as legitimate file-sharing notifications. 

  • Recommendation: Strengthen email security and employee awareness. 

For more details, visit the KnowBe4 article. 

 

 

Rising Use of URL Shorteners in Phishing Attacks 

Recent intelligence highlights a growing trend where cybercriminals use URL shorteners to obscure malicious links in phishing campaigns. This tactic effectively conceals the true destination of links, making it difficult for users and traditional security tools to detect threats. These shortened URLs often appear in seemingly legitimate emails or text messages, leading to fraudulent websites designed to steal credentials or deploy malware.  

For more details, visit the KnowBe4 article. 

 

 

Surge in Microsoft Brand Impersonation Attacks 

A recent report shows a 50% increase in phishing attacks impersonating Microsoft in just one quarter. These attacks target users by mimicking Microsoft’s branding to steal credentials or deploy malware. Given Microsoft’s widespread use in organizations, employees should be extra cautious when receiving emails claiming to be from Microsoft, especially those requesting login details or prompting downloads. Always verify the sender's address and report suspicious emails to IT. 

For more details, visit the KnowBe4 article. 

 

 

Dark Angels Ransomware Group Rakes in Record Ransoms 

The Dark Angels ransomware group has secured a record $75 million ransom payment from a fortune 50 company recently. Unlike other groups, Dark Angels avoid public leaks and minimize operational disruptions for their victims, making it easier to coerce payments quietly.  

For more details, visit the Krebs on Security article. 

 

 

Inc Ransom Attack Analysis 

Overview: In April 2024, the "Inc Ransom" group targeted a ReliaQuest customer, employing a double-extortion strategy without encrypting files. They exploited an unpatched Fortinet vulnerability to gain access, installed remote management tools like AnyDesk, and used techniques like pass-the-hash for lateral movement. Data was exfiltrated using unconventional tools such as Restic. 

Key Insights: 

  • Mitigations: Prioritize patch management, enforce network segmentation, and deploy host-based controls to prevent unauthorized software execution. 

  • Emerging Trends: Use of legitimate tools by attackers to blend in with normal activity. 

Actionable Steps: Strengthen defenses by regularly updating and auditing systems, ensuring proper segmentation, and limiting privileges to essential accounts. 

For a detailed analysis, visit the full report here. 

 

 

URL Rewriting Exploited by Threat Actors 

Overview: Threat actors are increasingly abusing URL rewriting, a security feature intended to protect against phishing, to mask malicious links. By compromising legitimate email accounts and using URL rewriting, attackers can disguise phishing URLs as safe, often leveraging the security vendor's domain to gain trust. 

Key Insights: 

  • Mitigations: Enhance vigilance when clicking on links, even those appearing to be from trusted sources. 

  • Emerging Trends: Attackers are exploiting the gap between initial scans and later weaponization of URLs. 

For a detailed analysis, visit the full report here. 

 

 

Exfiltration Tools on the Rise 

A recent analysis by ReliaQuest highlights the growing use of advanced exfiltration tools by cybercriminals to steal sensitive data. Tools like Rclone, WinSCP, and FileZilla are increasingly being leveraged to exfiltrate data from compromised networks. These tools are difficult to detect as they mimic legitimate traffic, making traditional defenses less effective.  

For more details, visit the ReliaQuest article. 

 

 

North Korean IT-Worker Scheme Exposed in Tennessee 

A Nashville resident, Matthew Isaac Knoot, was arrested for facilitating a scheme that funneled hundreds of thousands of dollars to North Korea’s illicit weapons program. Knoot allegedly helped North Korean IT workers secure remote jobs with U.S. and British companies by using stolen identities. The funds, earned through six-figure salaries, were laundered and funneled back to North Korea. This case underscores the growing threat of North Korean cyber operations targeting remote work environments. 

For more details, visit the full article. 

 

 

Top Malware in July 2024: Remcos and RansomHub 

The July 2024 Threat Index highlights a surge in activity by the RansomHub ransomware group and a new Remcos malware campaign. RansomHub continues to dominate as the most prevalent ransomware, accounting for 11% of attacks, while LockBit3 and Akira follow closely behind. A critical security lapse led to the distribution of Remcos via a malicious ZIP file disguised as a CrowdStrike update. Additionally, FakeUpdates remains a persistent threat, utilizing fake browser updates to deploy RATs like AsyncRAT. 

Key Insights: 

  • RansomHub: Leading ransomware, targeting Windows, macOS, Linux, and VMware ESXi. 

  • Remcos Campaign: Exploits a security software update issue, spreading via phishing attacks. 

  • FakeUpdates: Tops the malware list, leveraging compromised websites to deliver Remote Access Trojans. 

For a deeper dive, visit Checkpoint’s Threat Index. 

 

 

Focus on Malware Loaders: Evolving Threats in 2024 

In 2024, nearly 40% of malware incidents involved advanced loaders like SocGholish, GootLoader, and Raspberry Robin. These loaders are pivotal in deploying ransomware and Remote Access Trojans (RATs). SocGholish has notably enhanced its tactics with Python scripts, making it harder to detect, while GootLoader and Raspberry Robin use sophisticated evasion techniques, posing significant threats to critical sectors. 

Key Insights: 

  • SocGholish: Now using Python for persistence. 

  • GootLoader: Continues to exploit legitimate platforms. 

  • Raspberry Robin: Notable for its complex evasion tactics. 

For more detailed insights, visit the full article here. 

Emerging Malware Variants to Watch in 2024 

In recent months, several malware variants have gained prominence in the cyber threat landscape. Notable among them are LummaC2, Rust-based stealers, SocGholish, AsyncRAT, and Oyster, each posing significant risks to organizations across all sectors. 

Key Insights: 

  • LummaC2: A powerful infostealer with increasing reach. 

  • Rust-based Stealers: Notable for their advanced evasion techniques. 

  • SocGholish: Continues to be a persistent threat through fake browser updates. 

  • AsyncRAT: Versatile and widely used for remote access. 

  • Oyster: A backdoor linked to Wizard Spider, signaling targeted attacks. 

For more details, visit ReliaQuest. 

 

 

Exploring the Abuse of Impacket: A Growing Threat 

Impacket, a versatile Python-based toolkit, has become a favored tool among threat actors for lateral movement, privilege escalation, and remote code execution in Windows environments. Threat actors commonly exploit Impacket scripts like psexec.py, smbexec.py, and wmiexec.py to perform these actions stealthily. The toolkit’s ability to mimic legitimate network activity complicates detection, making it a significant challenge for organizations to defend against. 

Key Insights: 

  • psexec.py: Used for executing remote commands with elevated privileges. 

  • smbexec.py: Facilitates lateral movement without additional software installation. 

  • wmiexec.py: Enables stealthy command execution through WMI. 

For more information, visit ReliaQuest. 

Copybara Android Malware: A Rising Threat 

The latest variant of Copybara, an Android malware family, has evolved to use the MQTT protocol for command-and-control (C2) communication, enhancing its stealth. This malware exploits Android’s Accessibility Service for keylogging, screen capturing, and phishing attacks, particularly targeting cryptocurrency exchanges and financial institutions. Copybara’s ability to impersonate legitimate apps makes it especially dangerous. 

Key Insights: 

  • MQTT Protocol: Used for stealthy C2 communication. 

  • Accessibility Service Exploitation: Enables comprehensive device control. 

  • Targeted Attacks: Focus on financial institutions and cryptocurrency exchanges. 

For more details, visit Zscaler. 

 

 

Massive QR Code Phishing Campaign Abuses Microsoft Sway 

A significant phishing campaign has been detected, exploiting Microsoft Sway to host malicious landing pages targeting Microsoft 365 users. The campaign, identified by Netskope Threat Labs, saw a 2,000-fold increase in activity, primarily targeting sectors in Asia and North America. Attackers use QR codes embedded in phishing emails, redirecting victims to malicious sites. This method exploits the weaker security controls of mobile devices and evades email scanners, making it particularly effective and dangerous. 

Key Insights: 

  • Targeted Sectors: Technology, manufacturing, and finance. 

  • Attack Method: QR codes bypass traditional security by embedding in images. 

  • Risk Increase: Heightened threat to mobile device users. 

For more details, visit BleepingComputer. 

Malvertising Campaign Impersonates Google Products 

A recent malvertising campaign has been detected, impersonating various Google products to lure users into tech support scams. These malicious ads, exploiting Google’s Looker Studio, redirect victims to fake Microsoft or Apple warning pages, urging them to call a fraudulent support number. This campaign serves as a reminder to be cautious of online ads, even those that appear to represent trusted brands. 

Key Insights: 

  • Target: Users of Google products. 

  • Tactics: Fake tech support scams via malvertising. 

  • Impact: Potential malware installation and data theft. 

For more details, visit KnowBe4. 

 

 

Deceptive AI: A New Wave of Cyber Threats 

As AI technology advances, cybercriminals are increasingly using AI-generated content (AIGC) to deceive users on social media. This includes creating fake profiles, deepfake videos, and AI-crafted messages that are nearly indistinguishable from real content. A recent survey revealed that a significant portion of users struggle to identify these threats, which can lead to fraud, identity theft, and misinformation. It's crucial to be aware of these risks and stay vigilant online. 

For more details, visit KnowBe4. 

 

 

North Korean IT Workers Target U.S. Tech Companies 

North Korean IT workers are increasingly applying for remote jobs at U.S. tech firms using false identities. They employ AI-generated profile images and fake job histories, aiming to funnel earnings back to the North Korean regime, posing security risks and potential sanctions violations. Key insights include the importance of rigorous background checks and enhanced candidate verification processes to counter this threat. Collaboration with security experts and intelligence sharing is critical. 

For more insights, visit Cinder. 

 

 

Risks in Publicly Exposed GenAI Development Services 

A recent analysis highlights significant security risks in publicly exposed GenAI development services, particularly vector databases and low-code LLM tools. These platforms often handle sensitive data but can be misconfigured, leading to potential data leakage, data poisoning, and exploitation of vulnerabilities. To mitigate these risks, organizations should enforce strict access controls, monitor activity, and ensure all software is updated. 

For a deeper dive, visit Legit Security. 

 

 

How Attackers Exploit Digital Analytics Tools 

Cybercriminals are increasingly weaponizing digital analytics tools like link shorteners, IP geolocation services, and CAPTCHA challenges. These tools, often used for legitimate purposes, are repurposed to obscure malicious activity, evade detection, and tailor attacks to specific targets. Organizations should implement automated analysis and monitor suspicious patterns in these tools to mitigate risks. 

Key Insights: 

  • Threat actors use link shorteners to mask phishing URLs. 

  • IP geolocation data helps attackers target specific regions. 

  • CAPTCHA services are abused to bypass automated security scans. 

Further Reading: Google Cloud Blog 

 

 

GenAI and the Surge of AI-Driven Fraudulent Websites 

 Cybercriminals are increasingly leveraging large language models (LLMs) to scale the creation of fraudulent websites, including phishing sites and fake online stores. Netcraft reports a significant rise in AI-generated content for scams, with a 3.95x increase in such websites from March to August 2024. These AI tools enhance the credibility of scams by improving text quality, making malicious content more convincing and harder to detect. Organizations must enhance their defenses to mitigate the risks posed by this emerging threat. 

Key Insights: 

  • LLMs are used to generate convincing text for scams. 

  • AI-driven scams have seen a sharp increase in recent months. 

  • Monitoring and takedown strategies are essential to combat this trend. 

Further Reading: Netcraft Blog 

 

 

So-Phish-ticated Attacks: A New Wave of Social Engineering 

A sophisticated threat actor is conducting targeted social engineering attacks against over 130 U.S. organizations. These attacks, which include phishing via SMS and direct phone calls, are designed to harvest credentials and one-time passcodes. The use of native English speakers and tactics that bypass traditional security tools makes these attacks particularly challenging to detect.  

Key Insights: 

  • Attacks bypass traditional detection. 

  • Focus on credential harvesting. 

  • Targeting multiple industry verticals. 

Further Reading: GuidePoint Security Blog 

 Originally posted on exploresec.com

In News Tags newsletter, phishing, threat intelligence
Comment

Exploring the newsletter below - Image created with the help of ChatGPT

Security Awareness Newsletter March 2024

April 1, 2024

This is a security newsletter I’ve put together as part of our security awareness program. This leans more towards healthcare and news items that are more general in nature. I’ll have a more technical focused newsletter later this week that’s targeted at security teams. Feel free to take this newsletter and use it internally as part of your security awareness program.

The Great Zoom-Skype-Google Masquerade: Beware of digital doppelgängers. Fake Zoom, Skype, and Google Meet sites are the latest traps set by cyber tricksters.  These spoofed meetings can trick users into downloading harmful software that compromises their computer. Ensure you’re clicking on the real deal to keep those malware masqueraders at bay. Beware of QR codes that will try to steal credentials as part of this type of attack. 

Beware of fake websites mimicking popular brands!: Typosquatting attacks are surging, and cybercriminals are exploiting user mistakes to steal login credentials and spread malware. Typosquatting is where an attacker registers a similar domain to one a person is familiar with. This increases the chance a malicious link will be clicked. 

Small Businesses Hit Hard by Cybercrime: Some social engineering techniques highlighted in the article include: malicious ads; attackers starting a conversation before trying to get the person to take an action; and the move to PDF attachments. These types of attacks help launch ransomware against small businesses. 

Beware of AI-Driven Voice Cloning in Vishing Scams: The Better Business Bureau (BBB) has issued a warning about the rise of voice phishing (vishing) scams utilizing AI-driven voice cloning technology. Scammers can now mimic voices convincingly with just a small audio sample, leading to fraudulent requests for money transfers or sensitive information. Tips to Stay Safe: 

  • Pause Before Acting: Resist the urge to act immediately on unexpected requests, even if they seem to come from a familiar voice. 

  • Verify Directly: Contact the supposed caller using a known, saved number—not the one provided in the suspicious call. 

  • Question the Caller: Ask specific questions that an impostor would struggle to answer correctly. 

  • Secure Your Accounts: Implement multi-factor authentication and verify any changes in information or payment requests. 

Update on Change Healthcare Cyberattack Recovery: Change Healthcare is on track to bring its systems back online by mid-March following a cyberattack that has caused widespread disruption since February 21. The cyberattack has significantly affected healthcare operations nationwide, with providers facing difficulties in payment processing, insurance verification, and clinical data exchange. This highlights why security awareness is so important. Identifying and reporting security threats to the organization is the responsibility of everyone. 

Beware of Tax Season Scams Targeting SMBs and Self-Employed Individuals: As tax season unfolds, a new scam has surfaced targeting small business owners and self-employed individuals. Scammers are using emails to lure victims to a fraudulent site, claiming to offer IRS EIN/Federal tax ID number applications. However, this service is free through the IRS, and the scam site is designed to steal personal information, including social security numbers, creating a significant risk for identity theft and fraud. A Microsoft report identifies green card holders, small business owners, new taxpayers under 25, and older taxpayers over 60 as prime targets for these scams. Check Point has some example phishes in their tax scam article. 

Apple Users Beware: "MFA Bombing" Phishing Attacks on the Rise: Leveraging Apple's password reset system attackers can bombard users with password reset prompts. If a person clicks "allow" on one of the prompts, the attackers can gain access to the user's account. The attackers may also call the person pretending to be Apple support. Some ways to protect yourself from this attack include not clicking on any of the prompts and contacting Apple directly if you receive a suspicious call. 

In News Tags newsletter, Security Awareness, social engineering, Typosquatting, AI, Healthcare, tax fraud, Multi-Factor Authentication
Comment

Latest PoDCASTS

Featured
Oct 29, 2024
[RERELEASE] ShowMeCon: What does Jayson E. Street, Dave Chronister, Johnny Xmas, April Wright, and Ben Brown think about security?
Oct 29, 2024
Oct 29, 2024
Oct 22, 2024
[RERELEASE] What is security awareness?
Oct 22, 2024
Oct 22, 2024
Oct 15, 2024
How to get a penetration test (pentest)
Oct 15, 2024
Oct 15, 2024
Oct 8, 2024
How to Avoid Election Scams
Oct 8, 2024
Oct 8, 2024
Oct 1, 2024
What is sober in cyber?
Oct 1, 2024
Oct 1, 2024
Sep 24, 2024
How Disinformation Will Impact The 2024 Election with Renee DiResta
Sep 24, 2024
Sep 24, 2024
Sep 17, 2024
How to Hack an Enterprise
Sep 17, 2024
Sep 17, 2024
Sep 10, 2024
Ben Burkert of Anchor.Dev on the challenges of Internal Certificate Management
Sep 10, 2024
Sep 10, 2024
Sep 4, 2024
[RERELEASE] What is Practical Web Applicaiton Penetration Testing?
Sep 4, 2024
Sep 4, 2024
Aug 27, 2024
[RERELEASE] How to find vulnerabilites
Aug 27, 2024
Aug 27, 2024

Powered by Squarespace