Threat actors continue to employ the “Sitting Ducks” technique to hijack legitimate domains for phishing and investment fraud. Analysts reported nearly 800,000 vulnerable domains in three months, with about 9 percent subsequently hijacked. This method exploits misconfigurations in Domain Name System (DNS) settings, allowing attackers to claim domains without access to the owner’s account.
Image Source: The Hacker News
Detection of these hijacks is challenging due to the reputable status of the affected domains, which include well-known brands and non-profits. Additionally, rotational hijacking occurs when different threat actors repeatedly take control of the same domain, often leveraging free DNS services for short-term use. These hijacked domains facilitate various malicious activities, including malware distribution and credential theft, while remaining largely undetected by security vendors.
Prominent threat actors using the Sitting Ducks technique include:
Vacant Viper: used to operate the 404 TDS, malicious spam operations, deliver porn, establish command-and-control (C2), and drop malware such as DarkGate and AsyncRAT. Horrid Hawk: used to conduct investment fraud schemes by distributing the hijacked domains via Facebook ads. Hasty Hawk: used to conduct widespread phishing campaigns that primarily mimic DHL shipping pages and fake donation sites.
Recommendations
These attacks can be prevented by ensuring the correct configurations are in place for the domain registrar and DNS providers. WordPress website administrators are encouraged to carefully inspect website and event logs for signs of infection. Regularly monitor and check for backdoor code, and the addition or alteration of any admin accounts. Keep all website themes, plugins, and other software up to date, remove unused plugins and themes, and utilize a WAF. Inspect, clean, and protect all websites hosted under the same server account. Isolate important websites with separate server accounts to prevent malware propagation from adjacent websites. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
Analysts recently identified the resurgence of the KV botnet, an operational relay box (ORB) network associated with the Chinese APT group Volt Typhoon. Their modus operandi involves compromising outdated and end-of-life (EOL) SOHO networking devices like Cisco RV320/325 and Netgear ProSafe routers to rebuild the KV botnet. An ORB network is a proxy infrastructure composed of virtual private servers (VPS) or compromised devices that allow adversaries to relay communications and obfuscate detection while bypassing geofencing measures for defense evasion. The KV-Botnet may also be referred to as the ‘JDYFJ Botnet’ due to a unique self-signed SSL certificate named JDYFJ. Recent observations indicate a resurgence in scanning activity, which poses a significant threat to critical infrastructure.
Analysts also detected Volt Typhoon using a Microprocessor without Interlocked Pipelined Stages (MIPS)—based malware, similar to Mirai, and web shells that exploit the MIPS architecture to establish covert connections and communicate through port forwarding via 8433. MIPS-based malware specifically targets devices with 32-bit MIPS processors like routers and Internet of Things (IoT) devices. Webshells, such as fy.sh, are strategically implanted in routers, allowing the threat actor to maintain persistent access and remote control.
Researchers noted that Volt Typhoon compromised roughly 30 percent of all internet-exposed devices in just 37 days; however, how the devices were breached remains unknown. Additionally, Volt Typhoon was recently observed using a compromised VPN device located on the Pacific Island of New Caledonia as a bridge that functions as a discreet hub, routing traffic between Asia-Pacific and America.
Recommendations
Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats. Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Keep systems up to date and apply patches after appropriate testing.Use strong, unique passwords and enable multi-factor authentication (MFA) for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from information technology (IT) environments.Perform scheduled backups regularly, keeping an updated copy offline in a separate and secure location and testing it regularly. Ingest IOCs into endpoint security solutions and consider leveraging behavior-based detection tools rather than signature-based tools.
Threat actors actively seek methods to conceal their identities in information-stealing campaigns, aiming to lure individuals into downloading malicious software or revealing sensitive information. One recent campaign infects Windows devices with Lumma Stealer and infects macOS devices with AMOS infostealing malware. Both infostealers can steal cookies, credentials, cryptocurrency wallets, credit cards, and browser history from many popular browsers. In this campaign, the threat actors promote an AI video and image editor using X, promising 25 free uses a day. Upon clicking the ad, users are redirected to a professional-looking website that leads users to download a disguised version of either Lumma Stealer or AMOS.
Image Source: Bitdefender
A second campaign impersonates a popular and trusted password manager, Bitwarden. Threat actors are using Facebook to share advertisements, alerting users that their Bitwarden browser extension is outdated and warning them that their saved passwords are at risk. The advertisement directs users to a page imitating the official Chrome Web Store, utilizing chromewebstoredownload[.]com as the domain to avoid suspicion. Unlike the official web store, users are directed to download a ZIP file from a Google Drive link, enable Developer Mode through their browser’s extension settings, and manually load the unpacked extension. Once installed, the malicious extension collects Facebook cookies, user details, account information, and billing data.
Image Source: EclecticIQ
A final infostealing campaign targets users searching for Black Friday sales. First spotted in October, this campaign imitates well-known brands, like L.L. Bean, Wayfair, The North Face, Bath & Body Works, and IKEA. These imitation websites are well crafted and offer steep discounts to lure potential victims into providing their credit card information. The domains for these impersonated sites often include “blackfriday,” and utilize the top-level domains (TLDs), “.shop,” “.vip,” “.store,” and “.top.” These websites use Stripe as the payment processor to add a sense of legitimacy, though it does not prevent the threat actors from stealing entered payment information. If payment information is entered into these malicious websites, threat actors can steal both the payment and card details.
Recommendations
Avoid clicking on ads, social media links, and promoted search results.Users should only submit account credentials and payment information on official websites.Users are advised to only download applications from official sources.Users who downloaded the affected apps are urged to uninstall them promptly.Credentials used to log into malicious apps should immediately be changed.
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released this Joint Cybersecurity Advisory to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats.
Since at least 2021, Russian SVR cyber threat actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes – have consistently targeted US, European, and global entities in the Defense Industrial Base, Information Technology, and Financial Services sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations.
The authoring agencies are releasing this advisory to warn network defenders that SVR cyber threat actors are highly capable of and interested in exploiting software vulnerabilities for initial access and escalation of privileges. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs, such as spearphishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living-off-the-land (LOTL) techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.
As hurricanes and other natural disasters occur, CISA urges individuals to remain on alert for potential malicious cyber activity. Fraudulent emails and social media messages—often containing malicious links or attachments—are common after major natural disasters. Exercise caution in handling emails with hurricane-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events. Before responding, ensure hurricane-related guidance is from trusted sources, such as local officials and disaster response organizations, including Federal Emergency Management Agency (FEMA) and DHS’s Ready.gov.
CISA encourages users to review the following resources to avoid falling victim to malicious cyber activity:
The newest threat to emerge from Mirai’s leaked source code has made itself known in a big way. The botnet, dubbed GorillaBot , issued over 300,000 attack commands across 113 countries from September 4 to September 27, with China (20 percent), the United States (19 percent), and Canada (16 percent) as the most targeted countries. These attacks involved over 20,000 organizations worldwide, including almost 4,000 organizations in the United States. At its peak, over 20,000 commands were issued over 24 hours, demonstrating a consistent and substantial flow of commands.
Image Source: NSFOCUS
GorillaBot utilizes several different attack methods but favors UDP Flood attacks, followed by ACK Bypass Flood attacks and Valve Source Engine (VSE) Flood attacks. Using the same process as the original Mirai , GorillaBot randomly selects one of five C2 servers to establish a connection and receive commands. GorillaBot employs 19 different distributed denial-of-service (DDOS) attack vectors and encryption algorithms, which the Keksec threat group often utilizes to encrypt key strings. An exploit named “yarn_init” is written into the code that uses a vulnerability in Hadoop Yarn RPC that allows for remote code execution without authentication. To maintain persistence, GorillaBot writes the “custom.service” file into the /etc/systemd/system directory and sets it to run automatically upon system boot. There is also a check to determine if the /proc file system exists on the infected device and if the system is a honeypot.
Recommendations
Monitor network traffic, checking for any abnormal increases that could indicate the beginning of a DDOS attack.Regularly check for and remediate exploitable security flaws and vulnerabilities.Distribute servers and critical data in multiple data centers to ensure they are on different networks with diverse paths.Keep all devices patched with the latest security updates.
Analysts recently identified a new iteration of BeaverTail malware associated with the CL-STA-240 Contagious Interview campaign , first discovered in November 2023. The threat actors, associated with the Democratic People’s Republic of Korea (DPRK), pose as prospective employers and target individuals seeking employment within the Information Technology sector through popular job search platforms such as LinkedIn and X. The threat actors then attempt to convince the victims to participate in online interviews to trick them into downloading and installing malware.
Profile of a fake recruiter on X. Image Source: Unit 42
This new BeaverTail variant was detected as early as July 2024. It was written in Qt rather than JavaScript, allowing threat actors to create cross-platform applications for Windows and macOS simultaneously. The updated malware has expanded to target 13 distinct cryptocurrency wallet browser extensions. Other updated features enable password theft in macOS and the theft of cryptocurrency wallets in macOS and Windows. These changes align with the ongoing financial interests of North Korean threat actors.
Once installed, BeaverTail runs in the background and forwards stolen sensitive data to the command and control (C2) server. After exfiltration, BeaverTail attempts to download the Python programming language from hxxp://<c2_server>:1224/pdown. Python is necessary for InvisibleFerret to function on different operating systems. The first stage of InvisibleFerret then downloads from hxxp://<c2_server>:1224/client/<campaign_id>.
InvisibleFerret components infographic. Image Source: Unit 42
The attack ends with the delivery of the InvisibleFerret backdoor, which can be used for keylogging, file exfiltration, and downloading remote control software such as AnyDesk. If the malware is successfully downloaded, this campaign could potentially compromise prospective companies that may hire the targeted job seekers, leading to the extraction and exfiltration of sensitive data.
Recommendations
Educate yourself and others about these and similar scams.Refrain from clicking on links and attachments delivered via emails or social media messages.Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds.Confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate.
Report malicious cyber activity to the FTC, FBI’s IC3.
Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event: October 29, 2024 11:00 AM – 2:15 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 3:15 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 1:15 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 12:15 PM | (GMT-07:00) Pacific Time US & Canada
Delivery Language: English Closed Captioning Language(s): English
Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.
For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?
During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:
Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
Identity and Access Management approaches to consider as your business grows.
How identity and access management is covered in the NIST Cybersecurity Framework 2.0.
Speakers:
Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.
Adobe is a software that is used for creating and publishing a wide variety of contents including graphics, photography, illustration, animation, multimedia, motion pictures and print.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
Adobe Substance 3D Painter 10.0.1 and earlier versions
Adobe Commerce 2.4.7-p2 and earlier versions
Adobe Commerce 2.4.6-p7 and earlier versions
Adobe Commerce 2.4.5-p9 and earlier versions
Adobe Commerce 2.4.4-p10 and earlier versions
Adobe Commerce B2B 1.4.2-p2 and earlier versions
Adobe Commerce B2B 1.3.5-p7 and earlier versions
Adobe Commerce B2B 1.3.4-p9 and earlier versions
Adobe Commerce B2B 1.3.3-p10 and earlier versions
Magento Open Source 2.4.7-p2 and earlier versions
Magento Open Source 2.4.6-p7 and earlier versions
Magento Open Source 2.4.5-p9 and earlier versions
Magento Open Source 2.4.4-p10 and earlier versions
Adobe Dimension 4.0.3 and earlier versions
Adobe Animate 2023 23.0.7 and earlier versions
Adobe Animate 2024 24.0.4 and earlier versions
Lightroom 7.4.1 and earlier versions
Lightroom Classic 13.5 and earlier versions
Lightroom Classic (LTS) 12.5.1 and earlier versions
Adobe InCopy 19.4 and earlier versions
Adobe InCopy 18.5.3 and earlier versions
Adobe InDesign ID19.4 and earlier version
Adobe InDesign ID18.5.3 and earlier version
Adobe Substance 3D Stager 3.0.3 and earlier versions
Adobe FrameMaker 2020 Release Update 6 and earlier versions
Adobe FrameMaker 2022 Release Update 4 and earlier versions
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows
Unrestricted Upload of File with Dangerous Type (CVE-2024-47423)
Integer Overflow or Wraparound (CVE-2024-47424)
Integer Underflow (Wrap or Wraparound) (CVE-2024-47425)
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
