This week’s Cyber Security Headlines – Week in Review, Jan 24-Feb 4, is hosted by Rich Stroffolino with our guest, Brian Lozada, CISO, HBOMax
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com.
The top three industries for ransomware
According to data gathered by the threat intelligence firm Trellix, between July and September 2021, the banking, utilities, and retail industries were the most targeted by ransomware organizations. These three sectors accounted for 58% of all observed attacks. The report found that ransomware gangs have adapted methods over time to target “ the most sensitive data and services,” noting that education, government and industrial services remained prominent targets. It should be noted that many of the groups behind major ransomware attacks during the time looked at in this study have either disappeared or gone dark, with new organizations emerging to fill the void.
(ZDNet)
Novel device registration trick enhances multi-stage phishing attacks
Microsoft has shared details of a large-scale phishing campaign that leverages stolen credentials to register devices on a target’s network to extend the attack to other enterprises. The attack exploits the concept of bring-your-own-device (BYOD) by registering a device using freshly stolen credentials, the second stage of the campaign observed by Microsoft was successful against victims that did not implement multi factor authentication (MFA). In this scenario, threat actors were able to register their own rogue devices into the victim’s network. Microsoft provides recommendations to defend against multi-staged phishing campaigns, such as enabling MFA, adopting good credential hygiene, and implementing network segmentation.
China pilots nationwide blockchain development over real-world use cases
The Cyberspace Administration of China (CAC) announced the commencement of an in-house effort to expedite blockchain development and innovation across 15 zones and 164 entities. The key areas of blockchain development include manufacturing, energy, government data sharing and services, law enforcement, taxation, criminal trials, inspection, copyright, civil affairs, human society, education, healthcare, trade finance, risk control management, equity market and cross-border finance. Despite a strong stance against crypto adoption, the Chinese government continues to show interest in related ecosystems including blockchain and nonfungible tokens (NFT).
Target shares its own web skimming detection tool Merry Maker with the world
Web skimming, sometimes referred to as Magecart attacks, have become the leading cause of card-not-present (CNP) fraud and have impacted small and big brands alike, as well as different types of ecommerce platforms. As one of the world’s top online retailers, Target started looking for solutions a few years ago to combat this threat and keep its own customers protected while shopping on its platform. Since there were no ready-made detection tools for such attacks at the time, two of the company’s security engineers decided to develop their own. After being in active use on Target.com for over three years, the company’s client-side scanner has now been released as an open-source project dubbed Merry Maker.
Thanks to our episode sponsor, Pentera
Cyber attack disrupts German oil firm operations
On Tuesday, two German oil storage and logistics firms, Oiltanking GmbH Group and Mabanaft Group indicated they are investigating a cyber-incident that occurred this past Saturday. Head of Germany’s IT security agency, Arne Schoenbohm, indicated that 233 German gas stations were affected by the incident, inhibiting their ability to change gas prices or accept credit card payments from customers forcing some affected stations to accept cash payments only. The companies have hired computer forensic specialists to investigate the incident, which according to industry officials,did not pose a threat to the country’s overall fuel supplies.
DeFi platform hacked for $80 million
In an incident report, Qubit Finance disclosed that malicious actors exploited a security flaw within the smart contract code of the company’s blockchain, letting the attackers not deposit anything, but withdraw the equivalent of $80 million in Binance Coin. Qubit usually acts as a settlement processing provider between various blockchain providers, letting people withdraw a different cryptocurrency than they deposited. The company is now offering the hackers a $250,000 bug bounty to encourage them to return the funds.
Data leak exposes IDs of airport security workers
A team of researchers recently discovered a misconfigured Amazon Web Services S3 bucket belonging to Swedish security giant Securitas, which was left wide open without any authentication required to view the contents. The researchers found 3TB of personally identifiable information (PII) belonging to employees of Securitas and at least four airports across Peru (Aeropuerto Internacional Jorge Chávez) and Colombia (El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport) dating back to November 2018. After being notified by the researchers on October 28 2021, Securitas managed to secure the database on November 2.
Hacker claims responsibility for North Korean internet disruptions
Researchers looking at internet traffic from North Korea have noted that the country has been experiencing significant internet connectivity issues for the past two weeks, with virtually all websites taken offline at times. The hacker known as P4x is taking responsibility for the disruption, saying its in response to a North Korean campaign targeting security researchers last year, and out of frustration by a lack of government response to the incident. P4x found numerous documented vulnerabilities left unpatched on North Korean systems, launching a nation-state denial-of-service attack. While leaving out specifics so as to not aid North Korean remediation, he points to “ancient” versions of Apache running in the country. P4x compared his operation to “ the size of a small-to-medium pentest,” running automated scripts to look for online systems with known vulnerabilities. P4x said he intends to actually hack into North Korean systems to steal and share information.
(Wired)
MFA adoption pushes phishing actors to reverse-proxy solutions
The increasing use of MFA has pushed phishing actors to use transparent reverse proxy solutions, and to cover this rising demand, reverse proxy phish kits are being made available. A reverse proxy is a server that sits between the Internet user and web servers behind a firewall. The reverse proxy then forwards visitors’ requests to the appropriate servers and sends back the resulting response. This allows a webserver to serve requests without making itself directly available on the Internet. As detailed in a report published yesterday by Proofpoint, new phishing kits have emerged that offer templates to create convincing login web pages that mimic popular sites. These newer kits are more advanced because they now integrate an MFA snatching system, which enables threat actors to steal login credentials and MFA codes that would normally protect the account. One way to tackle the problem is to identify the man-in-the-middle pages used in these attacks. However, as the findings of a recent study have shown, only about half of those are blocklisted at any given time. The constant refresh of domains and IP addresses used for reverse proxy attacks reduces the effectiveness of blocklists, as most of these last between 24 and 72 hours. As such, the only method that may fight the problem is to add client-side TLS fingerprinting, which could help identify and filter MITM requests.