Sarina

I. Targeted Entities

• Edfinancial and Oklahoma Student Loan Authority loanees

II. Introduction

Oklahoma Student Loan Authority (OSLA) and EdFinancial are notifying over 2.5 million people that their personal data was leaked in a data breach that could lead to more trouble.

III. Background Information

Nelnet Servicing, a Lincoln, Nebraska-based servicing system and web portal provider for the two loan providers, was the target of the breach. Nelnet made the breach known to affected loan recipients on July 21^st via letter.[1]

By August 17^th, the investigation found that the personal user information, including the names, home addresses, email addresses, phone numbers, and social security numbers, of 2,501,324 student loan account holders had been accessed by an unauthorized party. However, the users’ financial information was not leaked.[2] In the breach disclosure filing submitted to the state of Maine by Bill Munn, Nelnet’s general counsel, the breach occurred between June 1, 2022 and July 22, 2022. But the letter sent to affected users pinpoints the breach to July 21, 2022.[3]

Although loanees’ sensitive financial data was not leaked, the personal information that was leaked “has [the] potential to be leveraged in future social engineering and phishing campaigns,” says Melissa Bischoping of Tanium. With the Biden administration’s recent announcement of a plan to cancel $10,000 of student loan debt for low- and middle-income loanees, it should be expected that this breach could be used by scammers for criminal activity. Bischoping warns that the recently leaked data can be used to impersonate affected brands in phishing campaigns that target students and recent college graduates.[4]

According to the breach disclosure, Nelnet informed Edfinancial and OSLA that Nelnet’s cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts to determine the nature and scope of the activity.” Also in the breach disclosure sent to the state of Maine is a statement that remediation will include two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance.[1]

IV. MITRE ATT&CK

• T1586 – Compromise Accounts
  Adversaries may compromise accounts with services that can be used during targeting with information gained from the data breach.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise (IOCs)

Because of the nature of the event, this threat advisory has no indicators of compromise. However, users should continue to remain vigilant.

VII. References

(1) Nelson, Nate. “Student Loan Breach Exposes 2.5M Records.” Threatpost English Global, August 31, 2022. https://threatpost.com/student-loan-breach-exposes-2-5m-records/180492/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.

I. Targeted Entities

• Coinbase accounts

II. Introduction

Attackers are bypassing two-factor authentication (2FA) and using other evasion tactics in a campaign that is trying to take over Coinbase accounts to defraud users of their cryptocurrency.

III. Background Information

Researchers at PIXM Software say that the threat actors are using emails that spoof Coinbase to trick users into logging into their accounts so that the attackers can gain access to the accounts and steal funds.[2] The researchers say that the cybercriminals will distribute these stolen funds through a network of “burner” accounts, in an automated way, via hundreds or thousands of transactions. The cybercriminals do this in an effort to shroud the original wallet from their destination wallet.[2]

The attackers employ a range of tactics to avoid detection. One such tactic is what researchers call “short-lived domains.” These domains are only up for extremely short periods of time (less than two hours), which is a deviation from typical phishing practices.[1] Another tactic used is context awareness. Context awareness allows cybercriminals to know either the IP, CIDR Range, or geolocation from which they anticipate their target to be connecting. The attackers can then create something similar to an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, CIDR Range, or region of their intended target.[1]

The Coinbase attacks begin with criminals targeting users with a malicious email that spoofs Coinbase so that victims think that they are receiving a legitimate message. The email uses a variety of reasons to persuade the user into logging into their account. For example, the account might be locked due to suspicious activity or a transaction needs to be confirmed. Like a typical phishing campaign, if the user is persuaded to follow the link in the phony message, they are taken to a fake login page and they are prompted to enter their credentials. If the user enters their credentials, the cybercriminal receives them in real-time and uses them to log in to the legitimate Coinbase website. Because the attacker logged into the legitimate Coinbase website, the victim is sent a 2FA code from Coinbase. Thinking that they are logging into the legitimate Coinbase website, the victim enters the 2FA code they received. However, like the login credentials, the cybercriminal receives the 2FA code and gains control of the victim’s account.[1]

Once the criminal has access to the account, they divert the victim’s funds to the aforementioned network of accounts in order to evade detection or suspicion. According to researchers, the funds are often embezzled through unregulated and illegal online cryptocurrency services, like cryptocurrency casinos, betting applications, and illegal online marketplaces.[1] At this point, the victim is told that their account is locked or restricted, and is prompted to talk to customer service to rectify their problem. This prompt is the second phase of the attack, where the cybercriminal poses as a Coinbase employee trying to help the victim regain access to their account, but in reality, is stalling so that the fund transfer can be completed before the victim becomes suspicious. Once the transfer is complete, the cybercriminal will abruptly close the session and then shut down the phishing page, leaving the victim without their funds.[1]

IV. MITRE ATT&CK

• T1566 – Phishing
  The threat actors will send phishing messages to gain access to a victim’s Coinbase account.

• T1111 – Multi-Factor Authentication Interception
  The threat actors target multi-factor authentication mechanisms to gain access to credentials that are used to access Coinbase systems and services.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

This threat advisory has no indicators of compromise, but users should ensure that they are only interacting with legitimate communications from Coinbase and other services.

VII. References

(1) Montalbano, Elizabeth. “Phishers Swim Around 2FA in Coinbase Account Heists.” Threatpost English Global, August 8, 2022. https://threatpost.com/phishers-2fa-coinbase/180356/.

(2) PIXM Software, ed. “Coinbase Attacks Bypass 2FA.” Pixm Anti-Phishing, August 8, 2022. https://pixmsecurity.com/blog/phish/coinbase-attacks-bypass-2fa/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.

I. Targeted Entities

• Google Chrome

II. Introduction

On July 4, Google quietly released a stable channel update for Google Chrome to patch an actively exploited zero-day vulnerability. This is the fourth flaw Google has released for Google Chrome this year.

III. Background Information

Chrome 103 (103.0.5060.71 for Android and 103.0.5060.114 for Windows and Mac) fixes a heap buffer overflow flaw in WebRTC. WebRTC is the engine that gives the browser its real-time communications capability.[1] The vulnerability, given the moniker CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team, is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory.”[1]

Google did not reveal any specific details about the vulnerability, but they did recommend that users upgrade their Google Chrome browsers. Because there are so few known details about the flaw, users’ most feasible protection is to upgrade their browser. Fortunately, Google Chrome updates are pushed without user intervention so most users will be protected once an update is available.[1]

Buffer overflows can lead to crashes and other attacks that make the affected program unavailable, like putting the program into an infinite loop. Attackers can take advantage of the attack by using the crash to execute arbitrary code usually outside of the scope of the program’s security policy.[1]

Along with fixing the zero-day buffer overflow flaw, the fix also patches a confusion flaw in the V8 JavaScript engine (CVE-2022-2295), which was reported on June 16^th by researchers at S.S.L.[1] This is the third flaw of this nature found in the open-source engine used by Google Chrome and Chromium-based web browsers that has been patched this year. In March, a different type-confusion issue in the V8 JavaScript engine (CVE-2022-1096) required a hasty patch from Google. And in April, Google patched another type-confusion flaw (CVE-2022-1364) which affected Google Chrome’s use of V8, which attackers had already pounced on.[1]

Another flaw patched the July 4 Google Chrome update is a use-after-free flaw in Chrome OS Shell, which was reported by Khalil Zhani on May 19^th and was given the moniker CVE-2022-2296, according to Google. Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google, in February, patched a zero-day use-after-free flaw in Chrome’s Animation component (CVE-2022-0609) that was under attack.[1]

IV. MITRE ATT&CK

Because the specific details of this flaw have not been announced, there are currently no MITRE ATT&CKs associated with this flaw.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

Because the specific details of this flaw have not been announced, there are currently no IOCs associated with this flaw.

VII. References

(1) Montalbano, Elizabeth. “Google Patches Actively Exploited Chrome Bug.” Threatpost English Global, July 5, 2022. https://threatpost.com/actively-exploited-chrome-bug/180118/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

I. Targeted Entities

• Travel Industry

II. Introduction

As people begin to travel more post-COVID, researchers are warning that the travel industry is a prime target for an increase in cyber-related crimes. Criminal activity ranges from an uptick in adversaries targeting airline mileage reward points to website credentials for travel websites. The continued increase of these types of cybercrimes can have major impacts that may include flight delays and cancelations. The impact of these attacks is accounts that have been hacked and are stripped of their value.

III. Background Information

Since January, researchers at Intel 471 have found multiple hacks used by threat actors to trade the credentials linked to travel websites. The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles.” These accounts are used to earn certain rewards on every dollar spent.[1] The credentials that were listed in February come from U.K. users from a major travel website and two U.S. airlines. The researchers at Intel 471 say, “access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”[1]

The exploitation of rewards programs, especially those associated with travel, is not new. In 2018, two Russian teens were arrested for infiltrating more than a half-million online accounts, targeting services that offer reward points.[2] Researchers say that as the travel industry bounces back from its COVID-related slump, the industry once again becomes a target for criminals.[2]

Other nefarious activity includes the targeting of travel-related databases. These databases contain employee and traveler personal identifiable information (PII), which the criminals can sell for money. Intel 471 researchers noticed threat actors had exploited a travel-related database of 40,000 employees in Illinois. The researchers say that this leaked information plays a role in travel-related fraud, allowing a criminal to generate new identities that can be used to cross borders or evade authorities.[1]

Researchers at Intel 471 suggest that customers stay vigilant while making travel arrangements, should book flights from reliable sources, handle payment cautiously, and be on the lookout for any out-of-place offers.

IV. MITRE ATT&CK

• T1566 – Phishing
  Adversaries may utilize methods, like phishing, that involve social engineering techniques, such as posing as a trusted source.
• T1555 – Credentials from Password Stores
  Adversaries may search common password storage locations to obtain user credentials.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

There are no IOCs for this threat advisory. However, users should remain vigilant of things that don’t seem right, and take the necessary precautions as they browse the Internet.

VII. References

(1) Intel 471, ed. “Cybercriminals Preying on Travel Surge with a Host of Different Scams.” Intel471, June 15, 2022. https://intel471.com/blog/travel-fraud-cybercrime-ransomware-pii.

(2) Tiwari, Sagar. “Travel-Related Cybercrime Takes Off as Industry Rebounds.” Threatpost English Global, June 15, 2022. https://threatpost.com/travel-related-cybercrime-takes-off/179962/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.