Vulnerabilities in hosted email services could allow for industrial-scale email spoofing
A pair of vulnerabilities found in typical hosted email service provider environments could allow an attacker to bypass normal email security protocols such as DMARC. Using the newly discovered vulnerabilities (CVE-2024-7208 and CVE-2024-7209), an authorized attacker in a hosted multi-tenant environment could modify the header in emails they send so as to make it appear as if they came from another tenant from the same hosted service.
The exploit works by exploiting a situation where many hosted email services do not check what domains an authenticated user is allowed to send emails for. By exploiting this method to send spoofed emails, an attacker could bypass protection provided by DMARC with the email arriving into recipient inboxes unhindered and appearing to be fully legitimate.
To protect their users, email service providers are advised to implement the necessary checks to verify the identity of authenticated senders against authorized domains.
According to the advisory published by Carnegie Mellon University, a number of hosted email service providers are impacted by these issues but many, including major service providers, have yet to confirm whether they are affected or not.
|
Ransomware attack disrupts operations at OneBlood blood bank
OneBlood, a blood bank serving over 300 U.S. hospitals, suffered a ransomware attack that disrupted medical operations. The not-for-profit organization helps ensure a stable blood supply to hospitals, causing concerns that surgeries and treatments may be impacted by the attack.
While OneBlood is still operational, it is functioning at a significantly reduced capacity. “In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being,” said Susan Forbes, OneBlood senior vice president of corporate communications and public relations.
OneBlood did not provide details about the attack, such as the ransomware that infected its systems and if it had suffered a data breach.
|
BingoMod Android malware empties bank accounts, wipes devices
A newly uncovered Android malware dubbed BingoMod wipes victims’ devices after stealing money from their bank accounts.
Researchers at Cleafy discovered the malware, which is promoted through text messages and poses as a legitimate mobile security tool. According to the researchers, BingoMod is under active development, with its author currently working on reducing the malware’s detection rate by adding code obfuscation and various evasion mechanisms.
Upon installation, the malware requests permission to use Accessibility Services, giving it extensive control of the device. Once installed, the malware steals login credentials, takes screenshots, and intercepts SMS messages.
BingoMod then establishes a socket-based channel to receive commands and an HTTP-based channel to send screenshots. Using information from screenshots, the threat actors can bypass bank users’ identity verification and authentication processes, and avoid behavioral detection techniques applied by banks to identify suspicious money transfers. The malware can also conduct overlay attacks.
BingoMod typically wipes infected devices after a successful fraudulent transfer, in an attempt to hinder forensic investigations.
|
North Korean threat actors targeting developers worldwide with fake jobs
A North Korean-based threat actor responsible for carrying out an attack campaign dubbed DEV#POPPER, originally only targeting South Korean developers, is said to be back. Researchers saw a new campaign that targets users from different regions as well as multiple platforms. The latest campaign targets victims in multiple regions including Europe, the Middle East, and North America.
The attackers are believed to be targeting software developers in these regions with fake job offers and even conducting fake remote job interviews to convince the victim of the legitimacy of the process. During the course of the fake selection process, the candidate is requested to participate in a practical challenge where they are required to download a ZIP file (onlinestoreforhirog.zip) and execute its contents.
The ZIP file contains mostly legitimate code but embedded within it is heavily obfuscated JavaScript that contains functionality to collect data about the local environment and send it to a command-and-control (C&C) server. It then downloads a second-stage ZIP file that contains Python code. This decodes and dumps an additional file that provides typical backdoor functionality to the attackers, such as information stealing, keylogging, remote access, and uploading/downloading files. The malware used in the new campaign adds some functionality, as well as enhancing previously seen functions, to help the attackers achieve a more robust infection.
|
Microsoft Azure outage caused by DDoS attack
Microsoft revealed that the global nine-hour outage of several Azure and Microsoft 365 services on July 30 was caused by a distributed denial-of-service (DDoS) attack, which was exacerbated by “an error” in its response to the attack.
Microsoft said the outage impacted several services, including Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal, and Microsoft 365 and Microsoft Purview services.
“While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it,” Microsoft explained. The incident led to an unexpected usage spike that “resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds, leading to intermittent errors, timeout, and latency spikes.”
To address the issue, the company implemented networking configuration changes and used a failover process for alternate networking paths.
|
|