Evasive phishing mixes reverse tunnels and URL shortening services
Reverse tunnel services are now becoming the thing, along with URL shorteners, that security researchers at CloudSEK are noticing as a difficult-to-stop cybercriminal activity. It’s a deviation from the more common method of registering domains with hosting providers. Reverse tunnels allow threat actors to host phishing pages locally on their own computers and route connections through a URL shortening service. This creates new links frequently to help avoid detection. as often as they want to bypass detection. According to the researchers, the most widely abused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare’s Argo. They also saw Bit.ly, is.gd, and cutt.ly URL shortening services being used more frequently.
Exploit released for Atlassian Confluence RCE bug, patch now
On Friday, Atlassian released security updates to fix an actively exploited critical vulnerability impacting Atlassian Confluence and Data Center servers. Tracked as CVE-2022-26134 this is “a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and which impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0. This allows unauthenticated, remote attackers to create new admin accounts, execute commands, and ultimately take over the server.”
Lawmakers are racing to pass tech antitrust reforms before midterms
The American Innovation and Choice Online Act is just a few steps away from becoming federal law. “Known among lawmakers as the self-preferencing or anti-discrimination bill, the legislation would prohibit dominant tech platforms like Amazon, Apple and Google from giving preferential treatment to their own services in marketplaces they operate.” For example, it could prevent Google from having its own travel recommendations at the top of search results, or Amazon might have to ensure its own products are ranked by the same criteria as competitors’ products. “The bill has overcome intense lobbying from the tech industry, and there are increasingly signs it will move forward before the August recess.”
(CNBC)
Evil Corp pivots LockBit to dodge U.S. sanctions
Researchers from Mandiant have found that Evil Corp has moved to LockBit ransomware after U.S. sanctions made it difficult for them to work with their current toolkit. The researchers are tracking what they call a “financially motivated threat cluster named UNC2165 that has numerous overlaps with Evil Corp and is highly likely the latest incarnation of the group.” Writing in a report released Thursday, the researchers point out how the group uses the FakeUpdates infection chain to gain access to target networks, which is then followed by the LockBit ransomware, representing “another evolution in Evil Corp affiliated actors’ operations.”
Thanks to today’s episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the premier pentest reporting and management platform.
Iranian hackers planned attack on Boston Children’s Hospital last summer, FBI director says
FBI Director Christopher Wray, speaking at at the Boston Conference on Cyber Security, has described how the FBI detected and mitigated this attack, and called it one of the “most despicable cyberattacks” he’s seen, albeit hardly an isolated one. “In 2021 the FBI saw ransomware attacks against 14 of the 16 services deemed critical infrastructure by the U.S. government, including hospitals. The FBI issued a warning last November that Iranian hackers were seeking data that could be used to hack U.S. companies.”
CISA issues vulnerability advisory for select Dominion voting equipment, urges updates
“Vulnerabilities within some Dominion voting machines used in roughly a dozen states should be mitigated as soon as possible,” said U.S. government’s top cybersecurity officials in advisory issued Friday afternoon. CISA notes that while the technical flaws within the Dominion Voting Systems Democracy Suite ImageCast X — an in-person voting system that allows voters to mark their ballots — should be “mitigated as soon as possible, it has no evidence that these vulnerabilities have been exploited in any elections.”
Another $250,000 in Ethereum drifts away from the Bored Ape Yacht Club
This is the third security breach the NFT Yacht Club has suffered this year. The hackers conducted a phishing attack by setting up a site that impersonated the official BAYC and announcing that Bored Ape NFT holders and others holding similar NFTs were allowed to claim a free NFT for a short period of time. The bogus website was advertised through the official BAYC Discord, using the account of a Yuga Labs community manager that had previously been hacked. Yuga Labs is the creator of the Bored Ape series.
The Week in Ransomware
In addition to the already mentioned pivot into ransomware by Evil Corp, last week also saw the new Industrial Spy group applying greater pressure on victims by hacking their websites to display ransom notes. Conti leaks are revealing that the ransomware gang was working on exploits for the Intel Management Engine to plant bootkits and malicious firmware. CLOP Ransomware targets 21 victims in a single month, Magniber Ransomware Now Targets Windows 11 Machines, Foxconn is confirming a LockBit ransomware attack in May 2021, and Costa Rica continues to be targeted by the Hive ransomware group.
(Bleeping Computer via JN66 Data Analytics and CyberSecurity Insiders)