New phishing method bypasses MFA using Microsoft WebView2 apps
A new phishing technique is helping threat actors bypass multi-factor authentication when logging into stolen accounts by using Microsoft Edge WebView2 applications to steal victim’s authentication cookies. This technique was created by researcher mr.dox as a proof of concept. Named WebView2-Cookie-Stealer, it consists of a WebView2 executable that opens a legitimate website’s login form inside the application. This technique takes advantage of Microsoft Edge WebView2 which allows users to “embed a web browser with full support for HTML, CSS, and JavaScript directly in native apps using Microsoft Edge (Chromium) as the rendering engine.” This same technology also allows developers to access cookies and inject JavaScript into that webpage that is loaded by an application, “making it an excellent tool to log keystrokes and steal authentication cookies and then send them to a remote server.”
Russian threat actors may be behind the explosion at Texas liquefied natural gas plant
Preliminary investigations suggest that the explosion that took place on June 8 at the Freeport Liquefied Natural Gas (Freeport LNG) liquefaction plant and export terminal on Texas’ Quintana Island,” resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud.” At the time oof this recording time it is not clear why the plant’s safety mechanisms failed to prevent the explosion. leading experts to speculate a cyberattack may have disabled them. “ICS malware like TRITON, which experts associated with Russia-linked APT group XENOTIME, has offensive capabilities to shut down industrial safety controls and cause extensive damages to industrial facilities.”
Google reveals sophisticated Italian spyware campaign targeting victims in Italy, Kazakhstan
Researchers from Google’s Threat Analysis Group stated Thursday that a small Italian spyware firm named RCS Labs allegedly worked with as-yet unnamed internet service providers to install malicious apps on the phones of targets in Italy and Kazakhstan. The spyware, called Hermit, is modular surveillanceware. The researchers add that in cases where ISP involvement was not possible, the firm “sent fake warning messages to targets telling them to click a link to restore access to a popular messaging app.” The app usied in this attack is similar to the FORCEDENTRY zero-click exploit exposed late last year and developed by Israel’s NSO Group.
(Cyberscoop and ZDNet)
Thanks to today’s episode sponsor, Optiv
Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters.
If you’d like to learn more about Optiv ADR, please visit Optiv.com/adr.
Log4Shell exploits still being used to hack VMware servers
CISA issued a warning on Thursday that “threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell remote code execution vulnerability.” After its initial reveal in December 2021, numerous threat actors started looking for and exploiting unpatched systems. These included state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs. The joint advisory was made with the US Coast Guard Cyber Command.
Carnival fined $5 million by New York for cybersecurity violations
This follows four security breaches between 2019 and 2021 that exposed substantial amounts of sensitive customer data. New York’s Department of Financial Services said the cruise line violated a state cybersecurity regulation by failing to use multi-factor authentication. It also said Carnival failed to report one breach and failed to conduct adequate cybersecurity awareness training for employees. The regulator said the failures caused Carnival to file improper cybersecurity compliance certifications from 2018 to 2020. Two of the breaches involved ransomware attacks, the regulator said.
Electricity used to mine bitcoin plummets as crypto crisis widens
A “crypto winter” has descended upon miners, freezing their profits and spreading financial woe throughout the sector. This is due to the amount of electricity being consumed by the largest cryptocurrency networks having decreased by up to 50%. “The electricity consumption of the bitcoin network has fallen by a third from its high of 11 June, down to an annualized 131 terawatt-hours a year, according to estimates from the crypto analyst Digiconomist.” For some perspective, a single conventional bitcoin transaction uses the same amount of electricity that a typical US household would use over 50 days.
And now, the week in ransomware
According to BleepingComputer, “The Conti ransomware gang has finally turned off their Tor data leak and negotiation sites, effectively shutting down the operation. Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month. The members are now spread out in smaller cells among different operations, making it more challenging to target the crime syndicate. Last week also saw a surge in eCh0raix ransomware attacks on QNAP devices, a report on a Mitel zero-day used in a ransomware attack, Chinese hackers deploying ransomware as decoys, and a report on a Conti hacking spree that took place at the end of last year. There were also quite a few attacks this week, or updated information on them, including those on Yodel, Nichirin, Fast Shop, and Artear.”