New phishing method bypasses MFA using Microsoft WebView2 apps
A new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. Created by researcher mr.dox, this new social engineering attack is called WebView2-Cookie-Stealer and consists of a WebView2 executable that, when launched, opens up a legitimate website’s login form inside the application. This takes advantage of Microsoft Edge WebView2 which allows you to embed a web browser, with full support for HTML, CSS, and JavaScript, directly in your native apps using Microsoft Edge (Chromium) as the rendering engine. Unfortunately, WebView2 also allows a developer to directly access cookies and inject JavaScript into the webpage that is loaded by an application, making it an excellent tool to log keystrokes and steal authentication cookies and then send them to a remote server.
Russian threat actors may be behind the explosion at Texas liquefied natural gas plant
The explosion took place on June 8 at the Freeport Liquefied Natural Gas (Freeport LNG) liquefaction plant and export terminal on Texas’ Quintana Island, and will have a lasting impact on its future operations. Preliminary investigations suggest that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud. At this time it is not clear why the safety mechanisms in place did not prevent the explosion. Experts speculate a cyberattack may have turned them off. ICS malware like TRITON, which experts associated with Russia-linked APT group XENOTIME, has offensive capabilities to shut down industrial safety controls and cause extensive damages to industrial facilities.
Google reveals sophisticated Italian spyware campaign targeting victims in Italy, Kazakhstan
The little-known Italian spyware firm RCS Labs worked with unnamed internet service providers to install malicious apps on targets’ phones in Italy and Kazakhstan, researchers with Google’s Threat Analysis Group said Thursday. The spyware, dubbed Hermit, is modular surveillanceware. In some cases, where ISP involvement wasn’t possible, Google researchers said the firm sent fake warning messages to targets telling them to click a link to restore access to a popular messaging app. The memory corruption exploitation at work in this attack is akin to the FORCEDENTRY zero-click exploit exposed late last year and developed by Israel’s NSO Group.
(Cyberscoop and ZDNet)
Cyberattack suspected of causing rocket-attack false alarms in Israel
Sirens used to warn Israelis of rocket attacks sounded a false alarm in Israel last weekend, due to a cyberattack on local public address systems, Israel’s Home Front Command said on Monday. Investigators currently attribute the attack to Iranian operatives. The Jerusalem Post emphasizes that thi attribution is preliminary, and that the incident remains under investigation. Israel Hayom notes that some of the evidence of cyberattack remains circumstantial: the systems apparently compromised were civilian warning systems, not presumably better protected military ones.
Thanks to today’s episode sponsor, Optiv
Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters.
If you’d like to learn more about Optiv ADR, please visit Optiv.com/adr.
Log4Shell exploits still being used to hack VMware servers
CISA warned on Thursday that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell remote code execution vulnerability. After its disclosure in December 2021, multiple threat actors started scanning for and exploiting unpatched systems, including state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs. The joint advisory was made with the US Coast Guard Cyber Command.
Carnival fined $5 million by New York for cybersecurity violations
This follows four security breaches between 2019 and 2021 that exposed substantial amounts of sensitive customer data. New York’s Department of Financial Services said the cruise line violated a state cybersecurity regulation by failing to use multi-factor authentication. It also said Carnival failed to report one breach and failed to conduct adequate cybersecurity awareness training for employees. The regulator said the failures caused Carnival to file improper cybersecurity compliance certifications from 2018 to 2020. Two of the breaches involved ransomware attacks, the regulator said.
Electricity used to mine bitcoin plummets as crypto crisis widens
The amount of electricity consumed by the largest cryptocurrency networks has decreased by up to 50% as the “crypto winter” continues to eat at the incomes of “miners” and financial contagion spreads further throughout the sector. The electricity consumption of the bitcoin network has fallen by a third from its high of 11 June, down to an annualized 131 terawatt-hours a year, according to estimates from the crypto analyst Digiconomist. As a point of reference, a single conventional bitcoin transaction uses the same amount of electricity that a typical US household would use over 50 days.
And now, the week in ransomware
The Conti ransomware gang has finally turned off their Tor data leak and negotiation sites, effectively shutting down the operation. Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month. The members are now spread out in smaller cells among different operations, making it more challenging to target the crime syndicate. Last week also saw a surge in eCh0raix ransomware attacks on QNAP devices, a report on a Mitel zero-day used in a ransomware attack, Chinese hackers deploying ransomware as decoys, and a report on a Conti hacking spree that took place at the end of last year. There were also quite a few attacks this week, or updated information on them, including those on Yodel, Nichirin, Fast Shop, and Artear.