Threat Advisories

Phishers Spoof 2FA in Coinbase Accounts Stealing

I. Targeted Entities

  • Coinbase accounts

II. Introduction

Attackers are bypassing two-factor authentication (2FA) and using other evasion tactics in a campaign that is trying to take over Coinbase accounts to defraud users of their cryptocurrency.

III. Background Information

Researchers at PIXM Software say that the threat actors are using emails that spoof Coinbase to trick users into logging into their accounts so that the attackers can gain access to the accounts and steal funds.[2] The researchers say that the cybercriminals will distribute these stolen funds through a network of “burner” accounts, in an automated way, via hundreds or thousands of transactions. The cybercriminals do this in an effort to shroud the original wallet from their destination wallet.[2]

The attackers employ a range of tactics to avoid detection. One such tactic is what researchers call “short-lived domains.” These domains are only up for extremely short periods of time (less than two hours), which is a deviation from typical phishing practices.[1] Another tactic used is context awareness. Context awareness allows cybercriminals to know either the IP, CIDR Range, or geolocation from which they anticipate their target to be connecting. The attackers can then create something similar to an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, CIDR Range, or region of their intended target.[1]

The Coinbase attacks begin with criminals targeting users with a malicious email that spoofs Coinbase so that victims think that they are receiving a legitimate message. The email uses a variety of reasons to persuade the user into logging into their account. For example, the account might be locked due to suspicious activity or a transaction needs to be confirmed. Like a typical phishing campaign, if the user is persuaded to follow the link in the phony message, they are taken to a fake login page and they are prompted to enter their credentials. If the user enters their credentials, the cybercriminal receives them in real-time and uses them to log in to the legitimate Coinbase website. Because the attacker logged into the legitimate Coinbase website, the victim is sent a 2FA code from Coinbase. Thinking that they are logging into the legitimate Coinbase website, the victim enters the 2FA code they received. However, like the login credentials, the cybercriminal receives the 2FA code and gains control of the victim’s account.[1]

Once the criminal has access to the account, they divert the victim’s funds to the aforementioned network of accounts in order to evade detection or suspicion. According to researchers, the funds are often embezzled through unregulated and illegal online cryptocurrency services, like cryptocurrency casinos, betting applications, and illegal online marketplaces.[1] At this point, the victim is told that their account is locked or restricted, and is prompted to talk to customer service to rectify their problem. This prompt is the second phase of the attack, where the cybercriminal poses as a Coinbase employee trying to help the victim regain access to their account, but in reality, is stalling so that the fund transfer can be completed before the victim becomes suspicious. Once the transfer is complete, the cybercriminal will abruptly close the session and then shut down the phishing page, leaving the victim without their funds.[1]

IV. MITRE ATT&CK

  • T1566 – Phishing
    The threat actors will send phishing messages to gain access to a victim’s Coinbase account.
  • T1111 – Multi-Factor Authentication Interception
    The threat actors target multi-factor authentication mechanisms to gain access to credentials that are used to access Coinbase systems and services.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

This threat advisory has no indicators of compromise, but users should ensure that they are only interacting with legitimate communications from Coinbase and other services.

VII. References

(1) Montalbano, Elizabeth. “Phishers Swim Around 2FA in Coinbase Account Heists.” Threatpost English Global, August 8, 2022. https://threatpost.com/phishers-2fa-coinbase/180356/.

(2) PIXM Software, ed. “Coinbase Attacks Bypass 2FA.” Pixm Anti-Phishing, August 8, 2022. https://pixmsecurity.com/blog/phish/coinbase-attacks-bypass-2fa/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.

2022-08-16T12:25:30-04:00August 16, 2022|

Phishing Attacks Increase as Facebook and Microsoft are Most Abused

I. Targeted Entities

  • Microsoft, Facebook, and other large tech brands

II. Introduction

Phishing attacks exploiting the Microsoft and Facebook brands, among others, have increased between 2021 and 2022.

III. Background Information

According to researchers at Vade, Microsoft, Facebook, and the French bank Crédit Agricole are the top abused brands.[1] The report also says that phishing attacks exploiting the Microsoft brand increased 266% in the first quarter of 2022 compared to 2021. Phony Facebook messages are up 177% in the second quarter of 2022, also compared to 2021.[1]

The research done by Vade analyzed unique instances of phishing URLs used by threat actors carrying out phishing attacks and not the number of phishing emails associated with the URLs. Their report listed the 25 most commonly phished companies, along with the most targeted industries and days of the week for phishing emails.[1] Other brands at the top of the list include Crédit Agricole, WhatsApp, and French telecommunications company Orange. PayPal, Google, and Apple also made the list.[1]

The report by Vade found that through the first half of 2022, 34% of all unique phishing attacks, that were tracked by the researchers at Vade, impersonated financial services brands. The next most popular sector was cloud service providers, with Microsoft, Google, and Adobe being prime targets. The social media sector was also popular with Facebook, WhatsApp, and Instagram at the top of the list of brands exploited in the attacks.[1] The researchers also found that the most popular days for sending phishing emails were Monday through Wednesday. The weekend did not see a lot of phishing emails sent with only 20% of the phishing emails being sent during the weekend.[1]

IV. MITRE ATT&CK

  • T1566 – Phishing
    Adversaries will send phishing messages to gain access to a victim’s machine. These phishing attempts may come via link or attachment, and typically execute malicious code on victim machines.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

This threat advisory has no indicators of compromise, but it is recommended that readers be aware of the links and attachments that they are sent to ensure their safety.

VII. References

(1) Nelson, Nate. “Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands.” Threatpost English Global, July 26, 2022. https://threatpost.com/popular-bait-in-phishing-attacks/180281/.

(2) Petitto, Natalie. “Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks.” Vade, July 26, 2022. https://www.vadesecure.com/en/blog/phishers-favorites-top-25-h1-2022.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Tural Hagverdiyev

2022-08-01T12:10:49-04:00August 1, 2022|

Google Patches Exploited Chrome Bug

I. Targeted Entities

• Google Chrome

II. Introduction

On July 4, Google quietly released a stable channel update for Google Chrome to patch an actively exploited zero-day vulnerability. This is the fourth flaw Google has released for Google Chrome this year.

III. Background Information

Chrome 103 (103.0.5060.71 for Android and 103.0.5060.114 for Windows and Mac) fixes a heap buffer overflow flaw in WebRTC. WebRTC is the engine that gives the browser its real-time communications capability.[1] The vulnerability, given the moniker CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team, is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory.”[1]

Google did not reveal any specific details about the vulnerability, but they did recommend that users upgrade their Google Chrome browsers. Because there are so few known details about the flaw, users’ most feasible protection is to upgrade their browser. Fortunately, Google Chrome updates are pushed without user intervention so most users will be protected once an update is available.[1]

Buffer overflows can lead to crashes and other attacks that make the affected program unavailable, like putting the program into an infinite loop. Attackers can take advantage of the attack by using the crash to execute arbitrary code usually outside of the scope of the program’s security policy.[1]

Along with fixing the zero-day buffer overflow flaw, the fix also patches a confusion flaw in the V8 JavaScript engine (CVE-2022-2295), which was reported on June 16th by researchers at S.S.L.[1] This is the third flaw of this nature found in the open-source engine used by Google Chrome and Chromium-based web browsers that has been patched this year. In March, a different type-confusion issue in the V8 JavaScript engine (CVE-2022-1096) required a hasty patch from Google. And in April, Google patched another type-confusion flaw (CVE-2022-1364) which affected Google Chrome’s use of V8, which attackers had already pounced on.[1]

Another flaw patched the July 4 Google Chrome update is a use-after-free flaw in Chrome OS Shell, which was reported by Khalil Zhani on May 19th and was given the moniker CVE-2022-2296, according to Google. Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google, in February, patched a zero-day use-after-free flaw in Chrome’s Animation component (CVE-2022-0609) that was under attack.[1]

IV. MITRE ATT&CK

Because the specific details of this flaw have not been announced, there are currently no MITRE ATT&CKs associated with this flaw.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

Because the specific details of this flaw have not been announced, there are currently no IOCs associated with this flaw.

VII. References

(1) Montalbano, Elizabeth. “Google Patches Actively Exploited Chrome Bug.” Threatpost English Global, July 5, 2022. https://threatpost.com/actively-exploited-chrome-bug/180118/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

2022-07-14T10:00:23-04:00July 14, 2022|

Microsoft Releases Workaround for Zero-Day Flaw

I. Targeted Entities

  • Travel Industry

II. Introduction

As people begin to travel more post-COVID, researchers are warning that the travel industry is a prime target for an increase in cyber-related crimes. Criminal activity ranges from an uptick in adversaries targeting airline mileage reward points to website credentials for travel websites. The continued increase of these types of cybercrimes can have major impacts that may include flight delays and cancelations. The impact of these attacks is accounts that have been hacked and are stripped of their value.

III. Background Information

Since January, researchers at Intel 471 have found multiple hacks used by threat actors to trade the credentials linked to travel websites. The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles.” These accounts are used to earn certain rewards on every dollar spent.[1] The credentials that were listed in February come from U.K. users from a major travel website and two U.S. airlines. The researchers at Intel 471 say, “access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”[1]

The exploitation of rewards programs, especially those associated with travel, is not new. In 2018, two Russian teens were arrested for infiltrating more than a half-million online accounts, targeting services that offer reward points.[2] Researchers say that as the travel industry bounces back from its COVID-related slump, the industry once again becomes a target for criminals.[2]

Other nefarious activity includes the targeting of travel-related databases. These databases contain employee and traveler personal identifiable information (PII), which the criminals can sell for money. Intel 471 researchers noticed threat actors had exploited a travel-related database of 40,000 employees in Illinois. The researchers say that this leaked information plays a role in travel-related fraud, allowing a criminal to generate new identities that can be used to cross borders or evade authorities.[1]

Researchers at Intel 471 suggest that customers stay vigilant while making travel arrangements, should book flights from reliable sources, handle payment cautiously, and be on the lookout for any out-of-place offers.

IV. MITRE ATT&CK

  • T1566 – Phishing
    Adversaries may utilize methods, like phishing, that involve social engineering techniques, such as posing as a trusted source.
  • T1555 – Credentials from Password Stores
    Adversaries may search common password storage locations to obtain user credentials.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

There are no IOCs for this threat advisory. However, users should remain vigilant of things that don’t seem right, and take the necessary precautions as they browse the Internet.

VII. References

(1) Intel 471, ed. “Cybercriminals Preying on Travel Surge with a Host of Different Scams.” Intel471, June 15, 2022. https://intel471.com/blog/travel-fraud-cybercrime-ransomware-pii.

(2) Tiwari, Sagar. “Travel-Related Cybercrime Takes Off as Industry Rebounds.” Threatpost English Global, June 15, 2022. https://threatpost.com/travel-related-cybercrime-takes-off/179962/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

2022-06-27T09:38:48-04:00June 16, 2022|

Microsoft Releases Workaround for Zero-Day Flaw

I. Targeted Entities

  • Microsoft Office users

II. Introduction

Microsoft has recently established a workaround for a zero-day vulnerability, known as Follina, for Microsoft Office applications, such as Word, after being originally identified back in April. This vulnerability is a remote control execution (RCE) flaw, and if successfully exploited, threat actors have the ability to install programs, view, change, or delete data on targeted systems. The RCE is associated with the Microsoft Support Diagnostic Tool (MSDT) which, ironically, collects information about bugs in the company’s products and reports them to Microsoft Support.

III. Background Information

Microsoft explained that “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word…An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application”.[1] The workaround comes about six weeks after the vulnerability was first seen by researchers from Shadow Chaser Group on April 12th and reported to Microsoft on April 21st. The vulnerability was noticed in a bachelor’s thesis from August 2020, with attackers seemingly targeting Russian users.[2] A Malwarebytes Threat Intelligence analyst also found the flaw back in April but could not fully identify it. The company posted a tweet on the same day, April 12th.[2]

At first, when the flaw was first reported, Microsoft did not consider the flaw an issue. But now, it is clear that the vulnerability should be taken seriously, with Japanese security vendor Nao Sec tweeting a fresh warning, noting that the vulnerability was targeting users in Belarus. Security researcher Kevin Beaumont called the vulnerability Follina; the name comes from the zero-day code references to the Italy-based area code of Follina (0438).[2]

There is no fix for the flaw, but Microsoft recommends that affected users disable the MSDT URL to rectify the flaw for now. Disabling the MSDT URL, “prevents troubleshooters being launched as links including links throughout the operating system.”[2] To disable the MSDT URL, users should follow these steps:

  1. Run Command Prompt as Administrator
  2. Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOTms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f” [2]

Microsoft says that the troubleshooters can still be accessed using the Get Help application and by using the system settings. Microsoft also says that if the calling application is an Office program, Office will open the document in Protected View and Application Guard for Office, which Microsoft says will “prevent the current attack.” However, Beaumont refuted that assurance in his analysis of the bug.[2] Microsoft also plans on updating CVE-2022-3019 with further information but did not specify when it would do so.[2]

Meanwhile, the unpatched flaw poses a significant threat. One reason is that the flaw affects a large number of people, given that it exists in all currently supported Windows versions and can be exploited via Office versions 2013-2019, Office 2021, Office 365, and Office ProPlus.[2] Another reason is that the flaw poses a major threat in its execution without action from the end-user. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious code payload.[2] Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks.[2]

Researchers say that this flaw is similar to last year’s zero-click MSHTML bug (CVE-2021-40444), which was pummeled by attackers, including the Ryuk ransomware gang. In fact, threat actors already pounced on this vulnerability. Proofpoint Threat Insight tweeted that threat actors were using the vulnerability to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration. Moreover, the workaround Microsoft currently offers itself has issues and won’t provide much of a long-term fix. It is not friendly for admins because the workaround requires users to change their Windows Registry, says Aviv Grafti, CTO and founder of Votiro.[2]

IV. MITRE ATT&CK

  • T1219 – Remote Access Software
    An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
  • T1218 – System Binary Proxy Execution
    Threat actors bypass signature-based defects by proxying the execution of malicious content with signed, or trusted binaries. This technique often involves Microsoft-signed files, which indicates that the binaries were either downloaded from Microsoft or already native to the operating system.
  • T1221 – Template Injection
    Threat actors create or modify references in user document templates to conceal malicious code or force authentication attempts.
  • T1566 – Phishing
    Adversaries may utilize methods like phishing that involve social engineering techniques, such as posing as a trusted source.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Disable Microsoft Support Diagnostic Tool
    Microsoft recommends the affected users disable the MSDT URL to mitigate this vulnerability, as no patch yet exists for the flaw.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Microsoft Security Response Center, ed. “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.” Microsoft Security Response Center, May 30, 2022. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/.

(2) Montalbano, Elizabeth. “Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack.” Threatpost English Global, June 1, 2022. https://threatpost.com/microsoft-workaround-0day-attack/179776/.Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-06-07T10:41:26-04:00June 7, 2022|

REvil is Back and Executes DDoS Attacks

I. Targeted Entities

  • Akami Technologies Incorporated and customers

II. Introduction

A recent denial of service (DDoS) campaign against a hospitality customer of Akamai, a cloud networking provider, and the defunct REvil ransomware gang claiming responsibility for it. It should be noted that researchers believe there is a high probability that the attack is not a resurgence of the infamous cybercriminal group but rather a copycat operation.

III. Background Information

Akamai researchers have been monitoring the DDoS attack since May 12th, when a customer alerted the company’s Security Incident Response Team (SIRT) of an attempted attack by a group purporting to be REvil. The requests contain demands for payment, a bitcoin wallet, and business/political demands.[1] While the attackers claim to be REvil, it is not clear if the defunct group is responsible for the attacks, given that the attacks seem smaller than previous attacks that the group claimed responsibility for. The apparent political motivation behind the DDoS campaign is also inconsistent with REvil’s M.O.

REvil, which hasn’t been seen since July 2021, was a Russia-based ransomware-as-a-service (RaaS) group well-known for its attacks against Kaseya, JBS Foods, and Apple.[2] The disruptive nature of their attacks caused international authorities to take measures against the group, with Europol arresting a number of cybercriminals in November of 2021.[2] In March 2022, Russia, who up until then had done little to stop REvil’s operations, claimed responsibility for fully toppling the group at the behest of the U.S. government, arresting its individual members. One person arrested was instrumental in helping the ransomware group DarkSide, the group responsible for the Colonial Pipeline attack in May of 2021.[2]

The recent DDoS attack, which would be a shift in strategy for REvil, was comprised of a HTTP GET request in which the request path contained a message to the target containing a 554-byte message demanding payment. The victim was directed to send the bitcoin payment to a wallet address that “currently has no history and is not tied to any previously known bitcoin.”[2] The attack also has an additional geospecific demand that requested the targeted company to cease business operations across an entire country. The attackers threatened to launch follow-up attacks that would affect global business operations if the demand was not met and the ransom not paid in a specific amount of time.[2]

There is a precedent for REvil using DDos in its previous attacks, but it does not appear that this attack is the work of REvil. REvil’s M.O. was to gain access to a target network or organization and encrypt or steal sensitive data, demanding payment to decrypt or prevent information leakage to the highest bidders or threatening public disclosure of sensitive or damaging information. The technique in this attack is different from their normal strategy. The political motivation tied to the attack, which is linked to a legal ruling about the targeted company’s business model, also goes against REvil’s normal tactics, with leaders in the past saying that they were purely profit-driven.[2] However, it is possible that REvil is seeking a resurgence by trying out a new business model of DDoS extortion. However, what is more likely is cybercriminals using the name of a notorious cybercriminal group to frighten the targeted organization into meeting their demands.[2]

IV. MITRE ATT&CK

  • T1498– Network Denial of Service
    This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausted the network bandwidth that Akamai customers relied on and demanded payment to end this attack.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Cashdollar, Larry. “REvil Resurgence? Or a Copycat?” Akamai Blog. Akamai Technologies, May 25, 2022. https://www.akamai.com/blog/security/revil-resurgence-or-copycat.

(2) Montalbano, Elizabeth. “Cybergang Claims Revil Is Back, Executes DDoS Attacks.” Threatpost English Global, May 26, 2022. https://threatpost.com/cybergang-claims-revil-is-back-executes-ddos-attacks/179734/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-06-06T14:00:08-04:00June 6, 2022|

Trojan Attacks Google Play Store Again

I. Targeted Entities

  • iPhone users

II. Introduction

New attacks have been discovered on iPhones that can be executed despite the device being turned off. This is a direct result of how Apple implements wireless features in iPhones such as Bluetooth, Near Field Communications (NFC), and Ultra-wideband (UWB) technologies. These features remain active on iPhones when powered down, which makes attack scenarios, such as loading malware on an iPhone’s Bluetooth chip to be executed while powered off, possible.

III. Background Information

The features previously mentioned have access to the iPhone’s Secure Element (SE) which stores sensitive information, even when the iPhone is shut off, according to a team of researchers from Germany’s Technical University of Darmstadt.[1] Because of this, malware is able to be loaded onto a Bluetooth chip that is executed while the iPhone is off (Germans). By attacking these wireless features, cybercriminals can access secure information, including a user’s credit card data, banking details, and even digital car keys on the iPhone.[2] Although this threat is ever-present, exploiting the threat is not so easy, with the threat actors still having to load the malware when the iPhone is on for later execution when the iPhone is off. This would require system-level access or remote code execution (RCE).[3]

The researchers at Germany’s Technical University of Darmstadt say that the cause of the issue is the low power mode (LPM) for wireless chips on iPhones. The LPM issue is caused when the user turns off their iPhone or when iOS shuts down automatically due to low battery. The researchers say that this is different than the power-saving feature that can be enabled by the user in the Settings app or

the Control Center. Because LMP is based on the iPhone’s hardware, and a solution cannot be patched via software, “wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”[1]

Researchers analyzed the security of LPM features in a layered approach, observing the impact of the feature on application-, firmware-, and hardware-level security. A potential threat scenario that the researchers outlined on the iPhone’s firmware assumes that an attacker either has system-level access or can gain RCE using a known Bluetooth vulnerability.[2] In this attack, a threat actor with system-level access could modify firmware of any component that supports LPM. This way, they maintain limited control of the iPhone, even when the user turns the iPhone off.[3] Even if all firmware would be protected against manipulation, an attacker with system-level access could still send custom commands to chips that allow for “very fine-grained configuration, including advertisement rotation intervals and contents.” This could allow an attacker to create settings that would allow them to locate a user’s device with higher accuracy than the legitimate user in the Find My app, for example. [4]

The researchers reported their research to Apple, which did not provide feedback on the issues raised. A potential solution, according to the researchers, is for Apple to add “a hardware-based switch to disconnect the battery” so these wireless elements wouldn’t have power while an iPhone is powered down.[5]

IV. MITRE ATT&CK

  • T1204 – User Execution
    Adversaries must have system-level access to iPhones to conduct this kind of attack. Thus, they may attempt to social engineer iPhone users to load malware into their devices to be later executed when powered off.
  • T1569 – System Services
    Adversaries that have system-level control over iPhones will be able to execute malware remotely. Having this kind of control would give adversaries the ability to modify firmware that control low power mode, Bluetooth, NFC, and other wireless communication protocols.
  • T1644 – Out of Band Data
    Adversaries are capable of executing previously loaded malware on iPhones that have been powered off. Out-of-band data streams, such as Bluetooth and NFC, allow adversaries to execute malware remotely without needing any power from the device’s battery.

V. Recommendations

  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/inzlsmaxpkn72bo64sv5wya7ythbftid

VII. References

(1) Cleafy Labs. “TeaBot Is Now Spreading across the Globe.” Cleafy Labs. Cleafy Labs, January 3, 2022. https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe.

(2) Nelson, Nate. “Teabot Trojan Haunts Google Play Store, Again.” Threatpost English Global, March 2, 2022. https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-06-01T10:26:04-04:00May 17, 2022|

Trojan Attacks Google Play Store Again

I. Targeted Entities

  • Google Play Store

II. Introduction

The TeaBot banking trojan, which is also known as “Anatsa,” has been spotted on the Google Play store.

III. Background Information

TeaBot is designed to intercept SMS messages and login credentials from unsuspecting users, and has affected users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. [1] This is not the first time TeaBot has been a menace to Android users; TeaBot was first seen last year. It is a straightforward malware designed to steal banking, contact, SMS, and other types of private data from infected devices.[1] What makes TeaBot unique is the way that it spreads; TeaBot requires no malicious email, text message, fraudulent website, or third-party service to spread. Rather, it typically comes packaged in a dropper application.[1] A dropper is a program that seems legitimate from the outside, but in reality, acts as a medium to deliver a second-stage malicious payload.

TeaBot droppers have shrouded themselves in inherently “safe” things, like QR codes or PDF readers. Hank Schless, senior manager of security solutions at Lookout, said that attackers usually stay with apps like QR code scanners, flashlights, photo filters, or PDF scanners because those are apps that users download out of necessity, and are more than likely not looking at reviews that may dissuade them from downloading the app.[1] This strategy seems to be working; in January 2022, an app called QR Code Reader – Scanner App was found distributing 17 different TeaBot variants for over a month. The app had more than 100,000 downloads by the time it was discovered.[1]

App stores have rules and protections aimed at stopping the spread of malware. For example, Google Play Protect helps root our malicious apps before they are installed and scans for evidence of nefarious actions on a daily basis.[1] But TeaBot is different because TeaBot droppers are not obviously malicious; on the surface, they might seem normal and uninteresting. However, once a user opens one of these seemingly innocent apps, they are prompted to download a software update. The update is a second app containing a malicious payload.[1] If the user gives the app permission to install software from an unknown source, the infection process starts.

Like other Android malware, TeaBot attempts to leverage the device’s Accessibility Services. These attacks use an advanced remote access feature that exploits the TeamViewer application, a remote desktop sharing tool, which gives the cybercriminal remote control over the victim’s device.[1] The ultimate goal of these attacks is to steal sensitive information like login credentials, SMS, and two-factor authentication codes, and to perform malicious actions on the device.[1]

According to researchers at Cleafy, “in less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.”[1] Shawn Smith, director of infrastructure at nVisium, says that real-time scanning of app downloads, including apps that do not originate from Google Play, would help to mitigate the problem. Smith also added that adding additional warning messages when installing app add-ons that do not come from Google Play could also be useful.[1] Until app stores have solved the problem with droppers, users need to remain vigilant and fight to keep their devices safe and secure.

IV. MITRE ATT&CK

  • T11475 – Deliver Malicious App via Authorized App Store
    Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Smartphones are often configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto target devices.
  • T1444 – Masquerade as Legitimate Application
    An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.
  • T1413 – Access Sensitive Data in Device Logs
    On versions of Android prior to 4.1, an adversary may use a malicious application holds the READ_LOGS permission to obtain private keys, passwords, other credentials or other sensitive data stored in the device’s system log. On Android 4.1 and later, an adversary would need to attempt to perform, an operating system privilege escalation attack to be able to access the log.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on endpoint protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/inzlsmaxpkn72bo64sv5wya7ythbftid

VII. References

(1) Cleafy Labs. “TeaBot Is Now Spreading across the Globe.” Cleafy Labs. Cleafy Labs, January 3, 2022. https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe.

(2) Nelson, Nate. “Teabot Trojan Haunts Google Play Store, Again.” Threatpost English Global, March 2, 2022. https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-03-09T15:01:16-05:00March 9, 2022|

Cyberattackers Exploit DocuSign to Steal Microsoft Outlook Logins

I. Targeted Entities

  • DocuSign Users
  • Outlook Users

II. Introduction

A new phishing campaign has targeted a major U.S. payments company. The campaign is directed at a “major, publicly-traded integrated payments solution company located in North America,” and made use of DocuSign and a compromised third party’s email domain to skirt past email security measures.[2]

III. Background Information

Around 550 members of the targeted company received the same email from the same sender, “Hannah Mcdonald,” with a simple subject line and body of the email. From a screenshot provided by Threatpost from Armorblox, the subject line reads, “Hannah shared ‘Revised Contract’ with you.” The body of the email reads, “Hello Please review below and get back to me” with a link of a document through DocuSign, a common e-signature software.[2] The preview looks like a real DocuSign landing page, with a prompt to, “Please review and sign this document,” and a confirmation that other parties had already signed the document.[2] The preview was hosted on Axure, a valid, cloud-based prototyping portal. Ironically, like the real page, the fake page contained a warning in fine print, advising the target to not share access with others. [2]

The phishing emails successfully evaded traditional email security measures partly because they came from a domain belonging to TermBrokersInsurance. Researchers say that a scan of the domain address would not have triggered an alert for fraudulent activity because the domain is valid.[2] Microsoft’s Spam Confidence Level (SCL) measures the perceived legitimacy of an email; SCL rated these emails with a score of –1. This is the lowest score possible and allows emails to bypass filtering because it “is from a safe sender, was sent to a safe recipient or is from an email source server on the IP Allow List.”[2]

Impersonating and exploiting trusted cloud services is an increasingly common tactic to evade security filters; receiving a benign link from a seemingly known and trusted user or application is not inherently malicious. From January to March of 2021, researchers found 7 million malicious emails sent from Microsoft 365 and 45 million malicious emails sent from Google’s cloud services and infrastructure.[2] Cybercriminals have also used Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase storage to send phishing emails and to host attacks.[2]

Lauryn Cash, product marketing manager at Armorblox, mentions integrated cloud email security, which is a cloud- and AI-based method of identifying anomalous emails, as a countermeasure to support existing email security tools, and specifically mentions natural language understanding (NLU). NLU is the ability of a computer to interpret meaning from human language.[2] The Armorblox report ends by recommending that users remain vigilant about basic security hygiene; do not open emails they are not expecting, watch for targeted attacks, and use tools like password managers and multi-factor authentication.[2]

IV. MITRE ATT&CK

  • T1598.001 – Spearphishing Service
    Adversaries may send spearphishing messages via a third-party service to elicit sensitive information that can be used during targeting. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual or organization
  • T1598.002 Spearphishing Attachment
    Adversaries may send spearphishing messages with a malicious attachment to     elicit sensitive information that can be used during targeting
  • T1598.003 Spearphishing Link
    Adversaries may send spearphishing messages with a link to elicit sensitive         information that can be used during targeting

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/57zfghvpvrd3a6rlswbees5k6tsobuee

VII. References

(1) Cash, Lauryn. “Please Sign on the Dotted Line: DocuSign Phishing Attack.” Armorblox, February 24, 2022. https://www.armorblox.com/blog/blox-tales-please-sign-on-the-dotted-line-docusign-phishing-attack.

(2) Nelson, Nate. “Cyberattackers Leverage DocuSign to Steal Microsoft Outlook Logins.” Threatpost English Global, February 24, 2022. https://threatpost.com/cyberattackers-docusign-steal-microsoft-outlook-logins/178613/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-03-03T16:11:23-05:00March 3, 2022|

Ransomware Group Releases NFL Team’s Files

I. Targeted Entities

  • San Francisco 49ers

II. Introduction

Just before the Super Bowl kicked off, and two days after the FBI warned about the cybercriminals, BlackByte leaked what seems to be the 49ers’ team files.

III. Background Information

The 49ers were recently on the receiving end of a BlackByte ransomware attack that temporarily affected the team’s corporate IT network on Super Bowl Sunday.[2] BlackByte is a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who share the ransomware profits; they claimed responsibility for the attack by leaking files allegedly stolen in the assault. The 49ers confirmed the attack to Threatpost the following Monday.[2] The 49ers consulted with third-party cybersecurity firms for assistance and also notified law enforcement. As of Monday, the team was still investigating, but it appears as though the intrusion was limited to the 49ers’ corporate IT network and did not affect ticket systems or systems at the 49ers’ stadium, Levi Stadium.[2] According to Joseph Carson, chief security scientist and advisory CISO at Delinea, it is likely that an affiliate hacked the 49ers, as opposed to BlackByte, given that BlackByte is an RaaS.[2]

BlackByte recently posted some files that seem to have been stolen from the team on a dark website in a file called 2020 Invoices.[2] BlackByte has not made its ransom demands public, nor have they specified how much data they stole or encrypted. Joseph Carson says that the timing of this attack makes this a case of cybercriminals preying on a major event, where attackers can get unsuspecting victims “to click on links, download and execute malicious software or give over their credentials, thinking they are accessing legitimate internet services, resulting in cybercriminals gaining initial access to networks and services.”[2]

The attack comes two days after the FBI and Secret Service released a joint TLP: WHITE cybersecurity advisory saying that BlackByte ransomware had breached the networks of at least three organizations from U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture) in the last three months.[2]

BlackByte was first seen in July 2021 when it started victimizing organizations by exploiting known Microsoft Exchange vulnerabilities to worm its way into environments.[2] BlackByte was successful for a time, scoring wins against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia, but BlackByte hit a wall when Trustwave released a free decryption tool that allowed BlackByte victims to free their files.[4] BlackByte’s auction site has been considered a house of mirrors because the site claims to contain exfiltrated data from victims, but the ransomware itself doesn’t have the ability to exfiltrate data. This is done, most likely, to scare their victims into obeying their demands.[2]

Erich Kron, security awareness advocate at KnowBe4, focused on the FBI warning about BlackByte’s success in penetrating the critical infrastructure sector, which has been “plagued” by ransomware attacks.[2] Kron says that the critical nature of the systems means that it is imperative that the systems come back online quickly, which increases the likelihood that the victim pays the ransomware. Kron also says that the critical nature of the infrastructure also increases law enforcement attention, but that law enforcement busts have a low success rate, meaning that the groups are willing to take that risk.[2] Kron blames limited budgets, aging equipment, and shortages in cybersecurity staff for making critical infrastructure and many government entities susceptible to ransomware attacks.[2]

IV. MITRE ATT&CK

  • T1590 – Gather Victim Network Information
    Attackers focus on gathering information using ransomware attacked to collect data of the users through network systems.
  • T1027 – Obfuscated Files or Information
    Attackers use tools that download files to systems using encryption keys and store data information through the network of the systems.
  • T1213 – Data From Information Repositories
    Ransomware attacks are used to collect a wide variety of information and data during exchanged between users.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/konq0383pcl8it2pjmfwbvke7bdj9nmb

VII. References

(1) FBI, Secret Service, ed. “Indicators of Compromise Associated with BlackByte Ransomware.” Internet Crime Compliant Center IC3, February 11, 2022. https://www.ic3.gov/Media/News/2022/220211.pdf.

(2) Vaas, Lisa. “BlackByte Tackles the SF 49ers & US Critical Infrastructure.” Threatpost English Global, February 14, 2022. https://threatpost.com/blackbyte-tackles-the-sf-49ers-us-critical-infrastructure/178416/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-02-24T19:21:01-05:00February 24, 2022|