Links
https://www.sentinelone.com/blog/re-assessing-risk-subdomain-takeovers-as-supply-chain-attacks
https://www.cybersecuritydive.com/news/fortinet-threat-activity-older-vulnerabilities/745155
https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
Fake Chrome, Real Threat: Inside the SpyNote Malware Campaign
- Attackers created fake websites that closely resemble the Google Chrome install page on the Google Play Store, tricking users into downloading malicious applications.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- SpyNote Malware
- a powerful Android remote access trojan (RAT)
- Capabilties
- Accessing SMS messages, contacts, call logs, location data, and stored files.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- Activating device cameras and microphones.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- Manipulating calls and executing arbitrary commands.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- Implementing keylogging functionality to capture application credentials.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- capture authentication credentials
- intercept two-factor authentication codes
- through Accessibility Services
- persistence techniques that often require a factory reset for complete removal
- Infrastructure:
- malicious domains were registered through NameSilo, LLC or XinNet Technology Corporation
- Hosted primarily by Lightnode Limited and Vultr Holdings LLC.
- websites share similar infrastructures
- minimal variations in malware configurations.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- Advanced Threat Actors
- Linked to OilRig (APT34), APT-C-37 (Pat-Bear), and OilAlpha
- Not necessarily them but shows the breath of usage
- Use of both English and Chinese languages
- in the delivery sites
- within the malware code
- suggests a potential China nexus.https://cybersecuritynews.com/hackers-mimic-google-chrome-install-page/?utm_source=chatgpt.com
- Organizations with bring-your-own-device policies are particularly vulnerable
- infected personal devices can connect to corporate networks
- Defense
- Educate Employees
- Conduct regular training sessions to raise awareness about phishing tactics and the dangers of downloading applications from unverified sources.
- Mobile Device Management (MDM)
- Utilize MDM solutions to enforce security policies, manage device configurations, and monitor suspicious activities on all devices accessing corporate resources.
- Application Whitelisting
- Restrict device installations to a list of approved applications to prevent the installation of unauthorized or malicious software.
- Monitor Network Traffic
- Deploy intrusion detection and prevention systems to monitor for unusual network traffic patterns that may indicate compromised devices.
- Restrict Accessibility Services
- Limit the use of Accessibility Services to trusted applications, as malware often exploits these services to gain extensive control over devices.
- Conduct Regular Security Audits
- Perform periodic security assessments to identify and remediate potential vulnerabilities within the organization’s infrastructure.
Dangling DNS: The Hidden Threat Lurking in Abandoned Subdomains
- Dangling DNS Record?
- A “dangling” DNS record, particularly a CNAME (Canonical Name) record, points to a resource that no longer exists or has been decommissioned
- Often happens when organizations migrate services, discontinue SaaS subscriptions, or decommission cloud resources without properly updating their DNS configurations.
- Vulnerability
- Attackers monitor for these orphaned DNS records
- Register the previously linked external resource
- they gain control over the subdomain
- allowing them to serve malicious content under the guise of a legitimate organizational domain.
- Supply Chain Vulnerability
- A compromised subdomain can be used to distribute malicious updates or software components
- transforms a simple configuration oversight into a devastating supply chain attack.
- Active Exploits
- SentinelOne researchers identified over 1,250 instances of subdomain takeover risks related to deprovisioned cloud resources in the past year alone.
- one investigation, approximately 150 deleted AWS S3 buckets received over 8 million requests for container images, software updates, and VPN configurations.
- Defense
- Regular DNS Auditing
- Implement routine checks to identify and remove stale or unused DNS records, especially CNAME entries pointing to third-party services.
- Automated Monitoring Tools
- Utilize tools that can detect and alert on DNS misconfigurations or potential subdomain takeovers.
- Secure Decommissioning Processes
- Establish protocols to ensure that when services are discontinued, all associated DNS records are promptly and securely removed.
- Runtime Security Measures
- Deploy runtime security solutions capable of detecting and responding to unexpected behaviors, even if preventive measures fail.
- Employee Training and Awareness
- Educate staff about the risks associated with dangling DNS records and the importance of following proper procedures when decommissioning services.
Fortinet Devices Face Stealthy Exploitation Despite Patches
- Targeted Vulnerabilities: Attackers are exploiting previously patched vulnerabilities
- CVE-2022-42475
- CVE-2023-27997
- CVE-2024-21762
- Despite previous updates to resolve these vulnerabilities still exsist.
- Persistence
- By creating symbolic links between user and root file systems via SSL-VPN language folders, attackers maintain read-only access even after patches are applied.
- Stealthy Access
- This method allows attackers to access sensitive files, including configurations, without detection.
- Defense
- Mitigation Measures: Fortinet has released updates in FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 to detect and remove these symbolic links.
- Conduct File System Audits: Regularly inspect devices for unauthorized symbolic links, especially in SSL-VPN directories.
- Implement Continuous Monitoring: Utilize security tools that can detect unusual file system changes and access patterns.
- Restrict Access: Limit administrative access to FortiGate devices and enforce strict authentication measures.
- Stay Informed: Subscribe to Fortinet and cybersecurity advisories to remain updated on emerging threats and recommended actions.
Volt Typhoon Unveiled: China’s Covert Cyber Campaign Against U.S. Infrastructure
- Covert Acknowledgment:
- During the Geneva summit, Chinese representatives indirectly admitted to orchestrating the Volt Typhoon cyberattacks, which infiltrated various U.S. critical infrastructure sectors.
- The attacks were interpreted by U.S. officials as a strategic warning related to U.S. support for Taiwan, highlighting the geopolitical underpinnings of the cyber campaign.
- Volt Typhoon’s operations compromised systems across multiple sectors, including communications, manufacturing, utilities, construction, government, IT, maritime, transportation, and energy.
- The threat actors managed to maintain undetected access within the U.S. electric grid for approximately 300 days in 2023, raising concerns about the potential for significant disruptions.
- Concurrently, the Salt Typhoon group, also linked to China, targeted major American telecom firms, further emphasizing the breadth of China’s cyber espionage activities.
- Defense
- APT notorious hard to defend against
- Implement Zero Trust Architecture
- Adopt a security model that requires continuous verification of user identities and device integrity, minimizing the risk of unauthorized access.
- Enhance Network Segmentation
- Divide networks into distinct segments to contain potential breaches and prevent lateral movement by attackers.
- Conduct Regular Threat Hunting
- Proactively search for indicators of compromise within systems to identify and address threats before they cause harm.
- Invest in Employee Training
- Educate staff on cybersecurity best practices and emerging threats to foster a security-conscious organizational culture.
- Collaborate with Industry Partners
- Engage in information sharing with industry peers and government agencies to stay informed about the latest threat intelligence.