Evasive phishing mixes reverse tunnels and URL shortening services
Security researchers are seeing an uptick in the use of reverse tunnel services along with URL shorteners for large-scale phishing campaigns, making the malicious activity more difficult to stop. This practice deviates from the more common method of registering domains with hosting providers. With reverse tunnels, threat actors can host the phishing pages locally on their own computers and route connections through a URL shortening service, generating new links as often as they want to bypass detection. The most widely abused reverse tunnel services that CloudSEK found in their research are Ngrok, LocalhostRun, and Cloudflare’s Argo. They also saw Bit.ly, is.gd, and cutt.ly URL shortening services being more prevalent.
Exploit released for Atlassian Confluence RCE bug, patch now
Proof-of-concept exploits for the actively exploited critical vulnerability impacting Atlassian Confluence and Data Center servers have been widely released this weekend. Tracked as CVE-2022-26134 it is a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and which impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0. This allows unauthenticated, remote attackers to create new admin accounts, execute commands, and ultimately take over the server. On Friday, Atlassian released security updates to fix the vulnerability just as attacks escalated in the wild.
Lawmakers are racing to pass tech antitrust reforms before midterms
The American Innovation and Choice Online Act is just a few steps away from becoming federal law. Known among lawmakers as the self-preferencing or anti-discrimination bill, the legislation would prohibit dominant tech platforms like Amazon, Apple and Google from giving preferential treatment to their own services in marketplaces they operate. For example, it could prevent Google from having its own travel recommendations at the top of search results, or Amazon might have to ensure its own products are ranked by the same criteria as competitors’ products. The bill has overcome intense lobbying from the tech industry, and there are increasingly signs it will move forward before the August recess.
(CNBC)
Evil Corp pivots LockBit to dodge U.S. sanctions
Evil Corp has shifted to LockBit ransomware after U.S. sanctions have made it difficult for the cybercriminal group to reap financial gain from its current activity, researchers from Mandiant have found. The researchers are tracking what they call a “financially motivated threat cluster” named UNC2165 that has numerous overlaps with Evil Corp and is highly likely the latest incarnation of the group. UNC2165 is using a combination of the FakeUpdates infection chain to gain access to target networks followed by the LockBit ransomware, the researchers wrote in a report published Thursday. The activity appears to represent “another evolution in Evil Corp affiliated actors’ operations,” they wrote.
Thanks to today’s episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the premier pentest reporting and management platform.
Iranian hackers planned attack on Boston Children’s Hospital last summer, FBI director says
The FBI managed to detect and mitigate this attack, said FBI Director Christopher Wray on Wednesday at the Boston Conference on Cyber Security. Calling the incident one of the “most despicable cyberattacks” he’s seen, Wray noted that the threat was hardly an isolated one. In 2021 the FBI saw ransomware attacks against 14 of the 16 services deemed critical infrastructure by the U.S. government, including hospitals. The FBI issued a warning last November that Iranian hackers were seeking data that could be used to hack U.S. companies.
CISA issues vulnerability advisory for select Dominion voting equipment, urges updates
Vulnerabilities within some Dominion voting machines used in roughly a dozen states should be mitigated “as soon as possible,” the U.S. government’s top cybersecurity officials said in advisory issued Friday afternoon. CISA notes that while the technical flaws within the Dominion Voting Systems Democracy Suite ImageCast X — an in-person voting system that allows voters to mark their ballots — should be “mitigated as soon as possible, it has no evidence that these vulnerabilities have been exploited in any elections.”
Another $250,000 in Ethereum drifts away from the Bored Ape Yacht Club
This is the third security breach the NFT Yacht Club has suffered this year. The hackers conducted a phishing attack by setting up a site that impersonated the official BAYC and announcing that Bored Ape NFT holders and others holding similar NFTs were allowed to claim a free NFT for a short period of time. The bogus website was advertised through the official BAYC Discord, using the account of a Yuga Labs community manager that had previously been hacked. Yuga Labs is the creator of the Bored Ape series.
The Week in Ransomware
In addition to the already mentioned pivot into ransomware by Evil Corp, last week also saw the new Industrial Spy group applying greater pressure on victims by hacking their websites to display ransom notes. Conti leaks are revealing that the ransomware gang was working on exploits for the Intel Management Engine to plant bootkits and malicious firmware. CLOP Ransomware targets 21 victims in a single month, Magniber Ransomware Now Targets Windows 11 Machines, Foxconn is confirming a LockBit ransomware attack in May 2021, and Costa Rica continues to be targeted by the Hive ransomware group.
(Bleeping Computer via JN66 Data Analytics and CyberSecurity Insiders)