👋 Hey there,
Happy Sunday!
🚨 News
Massive Hijack of Trusted Brands' Subdomains for Spam Campaign
- Operation "SubdoMailing" Unveiled: Researchers have identified a massive ad fraud campaign named "SubdoMailing," leveraging over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day. The campaign exploits abandoned subdomains and domains of well-known companies for malicious emails.
- Tactics for Bypassing Security: The fraudulent operation exploits SPF and DKIM email policies to bypass spam filters, utilizing the trusted nature of the hijacked domains. Tactics include CNAME hijacking and SPF record exploitation, where attackers register external domains no longer in use, pointed to by CNAME records or SPF "include:" configurations of target domains.
- Sophisticated Exploitation Techniques: The attackers craft emails using images instead of text to evade text-based filters, employ click-redirects for malicious content delivery, and leverage legitimate email services like SendGrid for distribution. This complex operation indicates a high level of resource investment and sophistication.
- Challenges and Implications for Email Security: This operation highlights the limitations of conventional email security measures, such as SPF, DKIM, and DMARC, against sophisticated phishing tactics. The reliance on domain reputation is inadequate, pointing to the necessity for advanced detection technologies that can identify and mitigate such sophisticated threats.
Savvy Seahorse Gang Exploits DNS CNAME Records for Financial Scams
- The Surprising Threat: I recently stumbled upon an article about Savvy Seahorse, a DNS threat actor who has been using CNAME records for financial scams since at least August 2021. They leverage DNS CNAME records to create a traffic distribution system (TDS) for sophisticated campaigns, enabling them to control who has access to content and dynamically update IP addresses. This technique has allowed the actor to evade detection by the security industry.
- Targeted Attacks & Techniques: Savvy Seahorse's campaigns involve Facebook ads, dedicated hosting, and regular IP address changes. They use wildcard DNS entries for a large number of independent campaigns and a secondary HTTP-based TDS server for validating victim information and applying geofencing. The actor has been operating for at least a year, with approximately 4.2k base domains using the 'b36cname[.]site' CNAME.
- Impact & Severity: The Savvy Seahorse campaigns have resulted in over $4.6 billion in stolen funds from victims in the US alone. The actor targets Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers while excluding Ukraine and a handful of other countries.
- Recommendations: To mitigate the risk of falling victim to such campaigns, I recommend monitoring for the IOCs and ensuring security tools can detect and alert on similar campaigns. Regularly update security tools, monitor for unusual DNS activity, and stay vigilant for new phishing or investment scams.
Lazarus Hackers Exploited Windows Zero-Day to Gain Kernel Privileges
- Key Takeaway: Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver, which Lazarus Group used to establish a kernel read/write primitive. Microsoft addressed the vulnerability as CVE-2024-21338 in the February Patch Tuesday update.
- Technical Analysis: The exploit takes advantage of the 'Expand URL' function within Shortcuts, bypassing the Transparency, Consent, and Control (TCC) framework designed to protect user data. This enables them to craft a malicious shortcut to extract base64-encoded data and transmit it to an external server.
- Impact and Severity: With a CVSS score of 7.5 out of 10, this vulnerability poses a high risk, potentially allowing unauthorized access to sensitive data such as photos, contacts, and files. This highlights the importance of continuous vigilance and prompt software updates for cybersecurity.
- Mitigation Steps: Microsoft has addressed the vulnerability with additional permissions checks, urging users to update their devices to the latest versions to protect against exploitation. Users are also advised to be cautious of shortcuts from untrusted sources. The only effective security measure is to apply the February 2024 Patch Tuesday updates as soon as possible.
Over 100,000 Infected Repos Found on GitHub
- Repo Confusion Attacks: The resurgence of repo confusion attacks targets GitHub, with over 100,000 repositories affected, exploiting the similarity to legitimate ones to distribute malware, highlighting the importance of scrutinizing repositories before use.
- How It Works: Repo confusion attacks manipulate human error rather than package manager vulnerabilities, employing tactics like cloning legitimate repos, injecting malware, and promoting them online to trick developers into downloading malicious versions.
- Shift to SCM: The campaign's evolution shows a strategic shift from package managers to source control management (SCM) platforms like GitHub, taking advantage of automated account and repo creation and the vastness of GitHub to evade detection, underscoring the adaptability of threat actors.
- Protection: Protecting against repo confusion requires vigilant source verification, sandbox testing of dubious repos, and advanced detection systems capable of deep code analysis and identifying sophisticated threats, emphasizing the need for a proactive and comprehensive approach to software supply chain security.
Russian Hackers Hijack Ubiquiti Routers To Proxy Network
- Malicious Operation: The joint advisory from FBI, NSA, US Cyber Command, and international partners warns of Russian state-sponsored cyber actors exploiting Ubiquiti EdgeRouters globally for malicious cyber operations, including credential harvesting, traffic proxying, and spear-phishing.
- Details: The advisory details APT28's tactics, techniques, and procedures (TTPs), including the use of compromised routers for covert operations targeting various sectors worldwide and exploitation of CVE-2023-23397 for credential theft.
- Mitigation: Mitigation steps emphasize the importance of updating systems, disabling NTLM where feasible, and adopting secure-by-design principles in network equipment to minimize exposure to cyber threats.
- Recommendation: Recommended actions for EdgeRouter users include performing a hardware reset, upgrading firmware, changing default credentials, and implementing strategic firewall rules to protect against these APT28 activities.
🔬 Tools
Domain Hunter - Analyzes expired domains for reputation and Archive.org history, identifying suitable candidates for phishing and C2 domains.
MISP Project - Platform for sharing, storing, and correlating Indicators of Compromise of targeted attacks.
OSSEC - Open-source Host-based Intrusion Detection System.
🚀 Startups
Entro, has added Machine Identity Lifecycle Management to its security platform, providing security teams with tools to manage, monitor, and control the entire lifecycle of a secret. This capability, along with new integrations with CIFS/SMB File Shares, Microsoft SharePoint, and others, allows organizations to efficiently oversee and protect non-human identities and combat "secrets sprawl" in the cloud.
BreachBits, has raised Seed funding led by Blu Ventures to expand their BreachRisk™ platform, which provides risk ratings for businesses and avoids false positives by verifying and testing threats. BreachBits' platform, using automated penetration testing, stands out in the cyber risk quantification market, providing fair, verifiable, and actionable results that have shown to add tremendous value for customers.
Sitehop, a firm specializing in hardware-enforced enterprise encryption, has successfully raised £5M in Seed funding. Sitehop's flagship product, SAFEblade 1100, supports 4,000 secure tunnels, boasting a 900-nanosecond encryption/decryption latency and 100Gbps data throughput, addressing communication network slowdowns caused by software encryption.
💬 Conversations
A Redditor had a not-so-pleasant interview experience where he encountered issues with both interviewers: one junior panelist asked cloud cert exam-based questions and attempted to 'correct' practical answers, while the senior interviewer focused on impractical definition-based questions.
Daniel Miessler talks about the ways he is trying to find positivity in AI taking over jobs. The key point he raises is that this is inevitable and we do not have a choice here. Only thing we can do is to find ways to benefit from it.
Informative write-up about analyzing User-Agent strings to help detect threats, such as the Raccoon Stealer and Bunny Loader malware. The post also provides a list of suspicious User-Agents for detecting threats in SIEM systems.
⭐️ 3 Ways I Can Help You
- Work with me. I love helping people! Let's discuss your challenges, career, or ask me anything about cybersecurity in 25 minutes.
- Explore solutions with me. Need cybersecurity strategy and execution for your startup or scale-up? Let's achieve tangible outcomes together.
- Looking for something different? Reach out.
That's a wrap for this week!
Enjoying the read? Share it with your connections who'd love it too.
Best,
Nikoloz
