NIST hosted the NIST Workshop on the Requirements for an Accordion Cipher Mode 2024 on June 20–21, 2024, at the National Cybersecurity Center of Excellence (NCCoE) in Rockville, Maryland. This workshop brought together leading experts, researchers, and practitioners from across the cybersecurity and cryptography fields to discuss the design, implementation, and potential use cases for an Accordion Cipher Mode.
This new Interagency Report (IR), NIST IR 8537, summarizes the feedback received from participants, key takeaways, insights shared during the event, and important considerations for future research and development in this area.
Threat actors continue to employ the “Sitting Ducks” technique to hijack legitimate domains for phishing and investment fraud. Analysts reported nearly 800,000 vulnerable domains in three months, with about 9 percent subsequently hijacked. This method exploits misconfigurations in Domain Name System (DNS) settings, allowing attackers to claim domains without access to the owner’s account.
Image Source: The Hacker News
Detection of these hijacks is challenging due to the reputable status of the affected domains, which include well-known brands and non-profits. Additionally, rotational hijacking occurs when different threat actors repeatedly take control of the same domain, often leveraging free DNS services for short-term use. These hijacked domains facilitate various malicious activities, including malware distribution and credential theft, while remaining largely undetected by security vendors.
Prominent threat actors using the Sitting Ducks technique include:
Vacant Viper: used to operate the 404 TDS, malicious spam operations, deliver porn, establish command-and-control (C2), and drop malware such as DarkGate and AsyncRAT. Horrid Hawk: used to conduct investment fraud schemes by distributing the hijacked domains via Facebook ads. Hasty Hawk: used to conduct widespread phishing campaigns that primarily mimic DHL shipping pages and fake donation sites.
Recommendations
These attacks can be prevented by ensuring the correct configurations are in place for the domain registrar and DNS providers. WordPress website administrators are encouraged to carefully inspect website and event logs for signs of infection. Regularly monitor and check for backdoor code, and the addition or alteration of any admin accounts. Keep all website themes, plugins, and other software up to date, remove unused plugins and themes, and utilize a WAF. Inspect, clean, and protect all websites hosted under the same server account. Isolate important websites with separate server accounts to prevent malware propagation from adjacent websites. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
Analysts recently identified the resurgence of the KV botnet, an operational relay box (ORB) network associated with the Chinese APT group Volt Typhoon. Their modus operandi involves compromising outdated and end-of-life (EOL) SOHO networking devices like Cisco RV320/325 and Netgear ProSafe routers to rebuild the KV botnet. An ORB network is a proxy infrastructure composed of virtual private servers (VPS) or compromised devices that allow adversaries to relay communications and obfuscate detection while bypassing geofencing measures for defense evasion. The KV-Botnet may also be referred to as the ‘JDYFJ Botnet’ due to a unique self-signed SSL certificate named JDYFJ. Recent observations indicate a resurgence in scanning activity, which poses a significant threat to critical infrastructure.
Analysts also detected Volt Typhoon using a Microprocessor without Interlocked Pipelined Stages (MIPS)—based malware, similar to Mirai, and web shells that exploit the MIPS architecture to establish covert connections and communicate through port forwarding via 8433. MIPS-based malware specifically targets devices with 32-bit MIPS processors like routers and Internet of Things (IoT) devices. Webshells, such as fy.sh, are strategically implanted in routers, allowing the threat actor to maintain persistent access and remote control.
Researchers noted that Volt Typhoon compromised roughly 30 percent of all internet-exposed devices in just 37 days; however, how the devices were breached remains unknown. Additionally, Volt Typhoon was recently observed using a compromised VPN device located on the Pacific Island of New Caledonia as a bridge that functions as a discreet hub, routing traffic between Asia-Pacific and America.
Recommendations
Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats. Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Keep systems up to date and apply patches after appropriate testing.Use strong, unique passwords and enable multi-factor authentication (MFA) for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from information technology (IT) environments.Perform scheduled backups regularly, keeping an updated copy offline in a separate and secure location and testing it regularly. Ingest IOCs into endpoint security solutions and consider leveraging behavior-based detection tools rather than signature-based tools.
Threat actors actively seek methods to conceal their identities in information-stealing campaigns, aiming to lure individuals into downloading malicious software or revealing sensitive information. One recent campaign infects Windows devices with Lumma Stealer and infects macOS devices with AMOS infostealing malware. Both infostealers can steal cookies, credentials, cryptocurrency wallets, credit cards, and browser history from many popular browsers. In this campaign, the threat actors promote an AI video and image editor using X, promising 25 free uses a day. Upon clicking the ad, users are redirected to a professional-looking website that leads users to download a disguised version of either Lumma Stealer or AMOS.
Image Source: Bitdefender
A second campaign impersonates a popular and trusted password manager, Bitwarden. Threat actors are using Facebook to share advertisements, alerting users that their Bitwarden browser extension is outdated and warning them that their saved passwords are at risk. The advertisement directs users to a page imitating the official Chrome Web Store, utilizing chromewebstoredownload[.]com as the domain to avoid suspicion. Unlike the official web store, users are directed to download a ZIP file from a Google Drive link, enable Developer Mode through their browser’s extension settings, and manually load the unpacked extension. Once installed, the malicious extension collects Facebook cookies, user details, account information, and billing data.
Image Source: EclecticIQ
A final infostealing campaign targets users searching for Black Friday sales. First spotted in October, this campaign imitates well-known brands, like L.L. Bean, Wayfair, The North Face, Bath & Body Works, and IKEA. These imitation websites are well crafted and offer steep discounts to lure potential victims into providing their credit card information. The domains for these impersonated sites often include “blackfriday,” and utilize the top-level domains (TLDs), “.shop,” “.vip,” “.store,” and “.top.” These websites use Stripe as the payment processor to add a sense of legitimacy, though it does not prevent the threat actors from stealing entered payment information. If payment information is entered into these malicious websites, threat actors can steal both the payment and card details.
Recommendations
Avoid clicking on ads, social media links, and promoted search results.Users should only submit account credentials and payment information on official websites.Users are advised to only download applications from official sources.Users who downloaded the affected apps are urged to uninstall them promptly.Credentials used to log into malicious apps should immediately be changed.
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released this Joint Cybersecurity Advisory to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats.
Since at least 2021, Russian SVR cyber threat actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes – have consistently targeted US, European, and global entities in the Defense Industrial Base, Information Technology, and Financial Services sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations.
The authoring agencies are releasing this advisory to warn network defenders that SVR cyber threat actors are highly capable of and interested in exploiting software vulnerabilities for initial access and escalation of privileges. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs, such as spearphishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living-off-the-land (LOTL) techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.
As hurricanes and other natural disasters occur, CISA urges individuals to remain on alert for potential malicious cyber activity. Fraudulent emails and social media messages—often containing malicious links or attachments—are common after major natural disasters. Exercise caution in handling emails with hurricane-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events. Before responding, ensure hurricane-related guidance is from trusted sources, such as local officials and disaster response organizations, including Federal Emergency Management Agency (FEMA) and DHS’s Ready.gov.
CISA encourages users to review the following resources to avoid falling victim to malicious cyber activity:
The newest threat to emerge from Mirai’s leaked source code has made itself known in a big way. The botnet, dubbed GorillaBot , issued over 300,000 attack commands across 113 countries from September 4 to September 27, with China (20 percent), the United States (19 percent), and Canada (16 percent) as the most targeted countries. These attacks involved over 20,000 organizations worldwide, including almost 4,000 organizations in the United States. At its peak, over 20,000 commands were issued over 24 hours, demonstrating a consistent and substantial flow of commands.
Image Source: NSFOCUS
GorillaBot utilizes several different attack methods but favors UDP Flood attacks, followed by ACK Bypass Flood attacks and Valve Source Engine (VSE) Flood attacks. Using the same process as the original Mirai , GorillaBot randomly selects one of five C2 servers to establish a connection and receive commands. GorillaBot employs 19 different distributed denial-of-service (DDOS) attack vectors and encryption algorithms, which the Keksec threat group often utilizes to encrypt key strings. An exploit named “yarn_init” is written into the code that uses a vulnerability in Hadoop Yarn RPC that allows for remote code execution without authentication. To maintain persistence, GorillaBot writes the “custom.service” file into the /etc/systemd/system directory and sets it to run automatically upon system boot. There is also a check to determine if the /proc file system exists on the infected device and if the system is a honeypot.
Recommendations
Monitor network traffic, checking for any abnormal increases that could indicate the beginning of a DDOS attack.Regularly check for and remediate exploitable security flaws and vulnerabilities.Distribute servers and critical data in multiple data centers to ensure they are on different networks with diverse paths.Keep all devices patched with the latest security updates.
Analysts recently identified a new iteration of BeaverTail malware associated with the CL-STA-240 Contagious Interview campaign , first discovered in November 2023. The threat actors, associated with the Democratic People’s Republic of Korea (DPRK), pose as prospective employers and target individuals seeking employment within the Information Technology sector through popular job search platforms such as LinkedIn and X. The threat actors then attempt to convince the victims to participate in online interviews to trick them into downloading and installing malware.
Profile of a fake recruiter on X. Image Source: Unit 42
This new BeaverTail variant was detected as early as July 2024. It was written in Qt rather than JavaScript, allowing threat actors to create cross-platform applications for Windows and macOS simultaneously. The updated malware has expanded to target 13 distinct cryptocurrency wallet browser extensions. Other updated features enable password theft in macOS and the theft of cryptocurrency wallets in macOS and Windows. These changes align with the ongoing financial interests of North Korean threat actors.
Once installed, BeaverTail runs in the background and forwards stolen sensitive data to the command and control (C2) server. After exfiltration, BeaverTail attempts to download the Python programming language from hxxp://<c2_server>:1224/pdown. Python is necessary for InvisibleFerret to function on different operating systems. The first stage of InvisibleFerret then downloads from hxxp://<c2_server>:1224/client/<campaign_id>.
InvisibleFerret components infographic. Image Source: Unit 42
The attack ends with the delivery of the InvisibleFerret backdoor, which can be used for keylogging, file exfiltration, and downloading remote control software such as AnyDesk. If the malware is successfully downloaded, this campaign could potentially compromise prospective companies that may hire the targeted job seekers, leading to the extraction and exfiltration of sensitive data.
Recommendations
Educate yourself and others about these and similar scams.Refrain from clicking on links and attachments delivered via emails or social media messages.Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds.Confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate.
Report malicious cyber activity to the FTC, FBI’s IC3.
Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event: October 29, 2024 11:00 AM – 2:15 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 3:15 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 1:15 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 12:15 PM | (GMT-07:00) Pacific Time US & Canada
Delivery Language: English Closed Captioning Language(s): English
Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.
For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?
During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:
Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
Identity and Access Management approaches to consider as your business grows.
How identity and access management is covered in the NIST Cybersecurity Framework 2.0.
Speakers:
Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
