In a constantly evolving cybersecurity landscape, the criminal contingent quickly picks up on new opportunities.
This week’s newsletter will cover:
- Phishing campaigns
- Sensitive information theft
- Cryptocurrency mining attacks against servers
Office 365 users in the United States have been targeted with a novel phishing campaign which uses mandatory Coronavirus employee workplace training as a pretext. The victims have been emailed a malicious registration link which redirects them to a credential harvesting page rather than a legitimate training sign-up page.
In another campaign, Facebook Messenger users have been targeted with an old trick – a leaked X-rated video supposedly airing them. An attempt to preview the video redirects users to a legitimate-looking Facebook page for verification. Once a targeted account is compromised, automatic malicious messages are sent to the victim’s contacts.
In a third one, threat hunters have stumbled upon attempts to steal system administrators' credentials via fake emails prompting for the activation of DNSSEC. DNSSEC is a specification that is meant to strengthen the security of DNS records by means of digital signatures.
- The phishing page poses as the domain name's hosting provider, software vendor or domain registrar and asks the end-users to supply their usernames and passwords. The scam revolved around popular service providers and vendors. Prior to the sending of the email, an active scan had been done against the target domain to obtain information about its supplier, vendor, or software solution.
- Due to a misconfiguration, however, the evidently malicious server hosting the credentials harvesting page was leaking information about the service providers it had meant to impersonate. Ninety-six vendors with their corresponding logos were on the list. Clearly, efforts have been made to ensure a higher degree of legitimacy to boost the success rate of the campaign.
Recommendation: Educate personnel, especially those with a higher access level, on common phishing campaigns and how to recognize them. Combine the awareness training with a fail-proof policy on system updates and configuration changes to facilitate good security practices.
Sensitive information theft
Countermeasures such as Content Security Policies (CSP) could help mitigate certain attack vectors but as attackers are foisting the payload data through trusted origins such as a Google Analytics account, it would render the protection infeasible. Administrators and developers are advised to implement additional security controls such as other HTTP security headers - X-XSS-Protection, X-Frame-Options, Feature-Policy, to name a few. Additionally, usage of subresource integrity (SRI) on external resources would greatly reduce the odds of a successful compromise.
Other security experts have found obfuscated card skimming code hidden within the metadata of an image file (Copyright field) and loaded by compromised online stores running the WooCommerce plugin for WordPress.
Cryptocurrency mining attacks against servers
A new variant of the “Golang” malware (written in the Go programming language) has been observed in targeted attacks against both Windows and Linux machines. This new version targets web application frameworks (ex. ThinkPHP), application servers and Microsoft SQL servers among others, spreads as a worm and installs the Monero cryptocurrency miner known as XMRig. So far, the source of the infection has been linked to China-based IP addresses.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Cyware, Threatpost, Check Point, Hack Read, PerimeterX, Kaspersky, Sansec, Malwarebytes, Sophos, Bleeping Computer, ZDNet, Help Net Security, Creative Commons