Project Hyphae
Search

Information Security News 6-5-2023

Share This Post

‘Picture-in-Picture’ Obfuscation Spoofs Delta, Kohl’s for Credential Harvesting

Article Link: https://www.darkreading.com/endpoint/picture-in-picture-obfuscation-spoofs-delta-kohls-credential-harvesting

  • A recent campaign analyzed by Avanan showed how threat actors hide malicious links behind convincing photos offering gift cards and loyalty programs from brands like Kohl’s and Delta Airlines.
  • The tactic involves linking malicious URLs to marketing photos within branded emails. While this isn’t necessarily a new technique, it was noted that a rise in what is dubbed as “obfuscation within legitimacy” has occurred recently.
  • While email filters may flag spoofed emails, it was noted that not all filters may be able to adequately stop users from clicking on malicious content. Researchers encourage educating users, informing users to review URLs even in marketing emails, and potentially leveraging URL protection systems.
  • Link to Avanan’s Full Report: https://www.avanan.com/blog/the-picture-in-picture-attack

NSA and FBI: Kimsuky Hackers Pose as Journalists to Steal Intel

Article Link: https://www.bleepingcomputer.com/news/security/nsa-and-fbi-kimsuky-hackers-pose-as-journalists-to-steal-intel/

  • According to joint advisories from several United States and South Korean entities, a North Korean threat actor is launching spear-fishing campaigns on think tanks, research centers, academic institutions, and media organizations.
  • The threat actors pose as journalists seeking information as a means of collecting intelligence and further improving subsequent phishing campaigns. Additionally, while the first email tends not to contain malicious content within it, additional communications posed as follow up emails have been noted to include malicious downloadable documents.
  • The advisory highlighted mitigation steps relating to this threat actor. The advisory also noted that the English emails tend to have subtle misspelling or improper grammar. When in doubt, it is encouraged to contact the media group or journalist in question to validate their identity and then try to meet any journalists over a video call for any further communication.
  • Link to NSA’s Advisory: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3413621/us-rok-agencies-alert-dprk-cyber-actors-impersonating-targets-to-collect-intell/

Focus Security Efforts on Choke Points, Not Visibility

Article Link: https://www.darkreading.com/vulnerabilities-threats/focus-security-efforts-on-choke-points-not-visibility

  • Most organizations have limited resources dedicated to security. Despite this, they also have a constantly growing list of exposures and vulnerabilities to remediate.
  • This article highlights determining where weaknesses and common attack paths in the environment exist and then focusing resources on those areas of convergence instead of trying to fix everything.

CAPTCHA-Breaking Services with Human Solvers Helping Cybercriminals Defeat Security

Article Link: https://thehackernews.com/2023/05/captcha-breaking-services-with-human.html

  • Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic.
  • The illicit CAPTCHA-solving services work by funneling requests sent by customers and delegating them to their human solvers, who work out the solution and submit the results back to the users. Additionally, some threat actors purchase Proxyware services, which allow users to share unused internet bandwidth, to obscure originating IP addresses and evade antibot barriers.
  • Researchers encourage online web services to supplement CAPTCHAs and IP blocklisting with additional anti-abuse tools to mitigate the creation of bot accounts.

Streamers Ditch Netflix for Dark Web After Password Sharing Ban

Article Link: https://www.darkreading.com/application-security/streamers-netflix-dark-web-password-sharing-ban

  • According to researchers at Check Point, Netflix’s policy change requiring users to be within the same household and recent price increases have led users to cancel the service and seek cheaper Netflix accounts on the Dark Web.
  • Netflix access is sold on the Dark Web for $2.30 a month with hackers providing users the compromised credentials of legitimate users. In many instances, buyers don’t receive account access or have the accounts they “purchased” revoked by the scammers shortly after purchasing.
  • Additionally, malicious actors are using Netflix’s policy transitioning to launch convincing phishing campaigns. Specifically, hackers are sending out emails titled “Account Suspension” or “Your subscription is about to expire” to steal the credentials of unsuspecting users.
  • Link to Check Point Report: https://blog.checkpoint.com/security/secure-your-netflix-account-limited-sharing-can-result-in-dark-web-sales-for-e2-per-month/

Inactive, Unmaintained Salesforce Sites Vulnerable to Threat Actors

Article Link: https://www.csoonline.com/article/3697657/inactive-unmaintained-salesforce-sites-vulnerable-to-threat-actors.html

  • According to Varonis, many organizations have unsupported Salesforce “ghost sites,” or Salesforce instances that are no longer needed or maintained yet still pull personally identifiable information (PII) and sensitive business data into a viewable platform.
  • As the article notes, the issue arises when administrators only modify the DNS record when changing vendors from Salesforce to another platform or instance. As such, the Salesforce instance isn’t being completely disabled, allowing bad actors and internal users alike to access the abandoned Salesforce instance via the full internal URL or changing the host header to bring up the Salesforce webpage.
  • Researchers noted that sites no longer in use should be deactivated. Additionally, it is important to track user and guest permissions. Varonis has provided a guide on Salesforce Community protection.
  • Link to Varonis’ Full Report: https://www.varonis.com/blog/salesforce-ghost-sites
  • Link to Varonis’ Salesforce Guide: https://www.varonis.com/blog/abusing-salesforce-communities

Upskilling the Non-Technical: Finding Cyber Certification and Training for Internal Hires

Article Link: https://www.csoonline.com/article/3697656/upskilling-the-non-technical-finding-cyber-certification-and-training-for-internal-hires.html

  • This article highlights training personnel already working at your organization in cyber-related roles instead of spending additional time and resources utilizing public job postings to bring in someone new. In essence, you “upskill” by training personnel to fill the roles you need.
  • As the article notes, the main drawback to this approach is that the personnel lack specific training and certification. However, they already have a significant understanding of the organization, relationships with other employees, and are already within the HR channel.
  • A key component to upskilling involves identifying transferrable skills between what employees are currently doing and what they will be doing to bridge the gap in understanding. Ultimately, you will also be providing the employees in question with a unique security lens for their current role.

Canada to Set Up Cyber Security Certification for Defense Contractors

Article Link: https://www.reuters.com/world/americas/canada-set-up-cyber-security-certification-defence-contractors-minister-2023-05-31/

  • According to Canadian Defense Minister Anita Anand, Canada will work with the United States to draft a cyber security certification framework for defense contractors that will be identical for both countries as a means of responding to continued malicious cyber activities on contractors.
  • The Canadian Defense Ministry noted that the Canadian certification framework will be designed in collaboration with the United States so that defense contractors working in both countries will only need to be certified once.
  • The Defense Ministry also highlighted that the certification framework should be put in place by the end of next year (2024). Without certification, suppliers will risk being excluded from future international defense procurement opportunities.


Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.