Vulnerabilities in hosted email services could allow for industrial-scale email spoofing

A pair of vulnerabilities found in typical hosted email service provider environments could allow an attacker to bypass normal email security protocols such as DMARC. Using the newly discovered vulnerabilities (CVE-2024-7208 and CVE-2024-7209), an authorized attacker in a hosted multi-tenant environment could modify the header in emails they send so as to make it appear as if they came from another tenant from the same hosted service. 

The exploit works by exploiting a situation where many hosted email services do not check what domains an authenticated user is allowed to send emails for. By exploiting this method to send spoofed emails, an attacker could bypass protection provided by DMARC with the email arriving into recipient inboxes unhindered and appearing to be fully legitimate.

To protect their users, email service providers are advised to implement the necessary checks to verify the identity of authenticated senders against authorized domains. 

According to the advisory published by Carnegie Mellon University, a number of hosted email service providers are impacted by these issues but many, including major service providers, have yet to confirm whether they are affected or not.

Ransomware attack disrupts operations at OneBlood blood bank

OneBlood, a blood bank serving over 300 U.S. hospitals, suffered a ransomware attack that disrupted medical operations. The not-for-profit organization helps ensure a stable blood supply to hospitals, causing concerns that surgeries and treatments may be impacted by the attack. 

While OneBlood is still operational, it is functioning at a significantly reduced capacity. “In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being,” said Susan Forbes, OneBlood senior vice president of corporate communications and public relations.

OneBlood did not provide details about the attack, such as the ransomware that infected its systems and if it had suffered a data breach.

BingoMod Android malware empties bank accounts, wipes devices

A newly uncovered Android malware dubbed BingoMod wipes victims’ devices after stealing money from their bank accounts.

Researchers at Cleafy discovered the malware, which is promoted through text messages and poses as a legitimate mobile security tool. According to the researchers, BingoMod is under active development, with its author currently working on reducing the malware’s detection rate by adding code obfuscation and various evasion mechanisms.

Upon installation, the malware requests permission to use Accessibility Services, giving it extensive control of the device. Once installed, the malware steals login credentials, takes screenshots, and intercepts SMS messages. 

BingoMod then establishes a socket-based channel to receive commands and an HTTP-based channel to send screenshots. Using information from screenshots, the threat actors can bypass bank users’ identity verification and authentication processes, and avoid behavioral detection techniques applied by banks to identify suspicious money transfers. The malware can also conduct overlay attacks.

BingoMod typically wipes infected devices after a successful fraudulent transfer, in an attempt to hinder forensic investigations. 

North Korean threat actors targeting developers worldwide with fake jobs

A North Korean-based threat actor responsible for carrying out an attack campaign dubbed DEV#POPPER, originally only targeting South Korean developers, is said to be back. Researchers saw a new campaign that targets users from different regions as well as multiple platforms. The latest campaign targets victims in multiple regions including Europe, the Middle East, and North America. 

The attackers are believed to be targeting software developers in these regions with fake job offers and even conducting fake remote job interviews to convince the victim of the legitimacy of the process. During the course of the fake selection process, the candidate is requested to participate in a practical challenge where they are required to download a ZIP file (onlinestoreforhirog.zip) and execute its contents. 

The ZIP file contains mostly legitimate code but embedded within it is heavily obfuscated JavaScript that contains functionality to collect data about the local environment and send it to a command-and-control (C&C) server. It then downloads a second-stage ZIP file that contains Python code. This decodes and dumps an additional file that provides typical backdoor functionality to the attackers, such as information stealing, keylogging, remote access, and uploading/downloading files. The malware used in the new campaign adds some functionality, as well as enhancing previously seen functions, to help the attackers achieve a more robust infection.

Microsoft Azure outage caused by DDoS attack

Microsoft revealed that the global nine-hour outage of several Azure and Microsoft 365 services on July 30 was caused by a distributed denial-of-service (DDoS) attack, which was exacerbated by “an error” in its response to the attack. 

Microsoft said the outage impacted several services, including Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal, and Microsoft 365 and Microsoft Purview services. 

“While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it,” Microsoft explained. The incident led to an unexpected usage spike that “resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds, leading to intermittent errors, timeout, and latency spikes.”

To address the issue, the company implemented networking configuration changes and used a failover process for alternate networking paths.

Note: There will be no Threat Landscape Bulletin on Monday, August 5.

Taiwan government-backed research org targeted by Grayfly APT group

The Chinese advanced persistent threat (APT) group Grayfly (aka APT 41) compromised a Taiwanese government-affiliated research institute working on sensitive technologies, according to a report from Cisco Talos.

Grayfly breached the unnamed organization, which Cisco said “specializes in computing and associated technologies,” during a campaign that began in July 2023. “The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them,” the researchers said.

Cisco tied the attack to Grayfly based on specific kinds of malware, tactics, and open-source tools used. The hackers deployed the ShadowPad malware — favored among China-based hackers — and several additional tools were written in Simplified Chinese.

The initial access method used by the attackers is unclear; however, Cisco said the hackers compromised at least three devices and were “able to exfiltrate some documents from the network.” The threat actors used backdoors and compression tools to exfiltrate stolen data. 

Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.

Cloudflare Tunnels abused to spread malware

Threat actors are increasingly abusing the Cloudflare Tunnel service to spread malware, according to researchers. 

According to reports from eSentire and Proofpoint, malicious actors are using Cloudflare's TryCloudflare free service to create a one-time tunnel to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure. 

Financially motivated campaigns taking advantage of this tactic have been seen delivering malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. 

The attackers gain initial access via phishing emails containing a ZIP archive, which includes a URL shortcut file that leads the email recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server. The shortcut file executes batch scripts that retrieve and execute additional Python payloads, while simultaneously displaying a decoy PDF document hosted on the same WebDAV server.

“A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively,” explained eSentire

“The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner,” Proofpoint said.

Millions of domains at risk from “Sitting Duck” DNS hijack attack

Russia-based threat actors have hijacked over 30,000 domains since 2019 using a technique dubbed Sitting Duck. The attack name refers to how vulnerable domains are just sitting out in the open and at risk, just waiting for an attacker to discover and take them over.

The technique used to perform these attacks is not new, it was documented by Mathew Bryant of thehackerblog.com back in 2016. At the time, he disclosed some interesting issues with DNS service providers that could allow an attacker to take over virtually any domain due to a lack of verification of ownership in the registration/setup process. 

For an attack to be successful, a number of conditions have to be met:

• A domain or subdomain owner delegates DNS to a different authoritative DNS service provider than their registrar.
• The delegation is not effective and is considered “lame” because the delegated DNS provider does not have the necessary information to resolve the delegated domain.
• The DNS provider is exploitable because they don’t have a domain ownership verification in their setup process for domains. This could allow an attacker to “claim” any susceptible domains without the domain owner knowing.

Despite requiring what seems like an unlikely confluence of conditions for the attack to be possible, it is estimated that there are over a million domains susceptible to the Sitting Duck attack just waiting to be discovered by an attacker.

Domain owners should check the recommendations outlined in this blog to mitigate the risk from this attack technique.

Attackers using fake answers on Stack Exchange to spread malware

Researchers have discovered an attack campaign that uses fake answer posts on Stack Exchange to spread malware. Stack Exchange is a popular online IT knowledge website that IT professionals often use to share and exchange knowledge for IT/development-related problems. 

In this particular malware campaign, the attackers appear to be focused on targeting cryptocurrency users and developers with a backdoor Trojan that can be used to steal information, particularly that which is related to cryptocurrencies. 

The attackers made posts on the website with information about how to use or perform certain actions using Raydium, a decentralized automated market maker protocol running on the Solana blockchain. Users targeted by these attackers are likely to be individuals who are interested in building trading bots and who are likely to have funds that could be targeted for theft.

The posts are often posted to answer specific questions and are carefully crafted to provide legitimate-looking information, but ultimately lead the reader to download and install fake Python packages hosted on PyPi. The packages were named as raydium, raydium-sdk, sol-instruct, sol-structs, and spy-types. While these packages are no longer available, they racked up over 2,000 downloads in total while they were still available. 

Attackers develop technique to easily hide bytecode malcode

A group of researchers from NTT Security Holdings Corp are planning to demonstrate a new technique to make it easier to hide malicious code on a computer by hijacking the memory used by software interpreters.

The technique, dubbed Bytecode Jiu-Jitsu, involves feeding malicious bytecode into the interpreter by replacing existing bytecode already present in memory and used by the interpreter. By doing this, when the interpreter goes to fetch and execute the expected bytecode from memory, it receives the injected code instead and executes it. 

One drawback of bytecode hijacking is its difficulty but the researchers have created an automated technique that can be used to analyze interpreter executables to find the necessary injection points for a successful attack on many different interpreters. This technique makes it considerably easier to carry out such an attack. 

The researchers have confirmed their technique works with VBScript, Python, and Lua interpreters and will demonstrate it at the upcoming Black Hat 2024 security conference.

Legal sector hit hard by ransomware – report

The legal sector is struggling to deal with a barrage of ransomware attacks, with more legal records stolen in 2023 than in the previous five years combined.

According to a new report from Comparitech, the legal sector has faced astronomical ransom demands in recent years; however, “many organizations remain tight-lipped on the details of such attacks.” Using data from its worldwide ransomware tracker, Comparitech looked at the increasing threat of ransomware on legal firms and its consequences. 

From the beginning of 2018 to June 2024, Comparitech found:

• 138 individual ransomware attacks on legal organizations with peaks in 2023 (45) and 2021 (44).
• 2,907,031 individual records were impacted in these attacks. 2023 accounts for more than half of this figure with 1.56 million records affected in total representing an increase of 615% from 218,473 records in 2022.
• Ransom demands varied from $30,000 to $21 million.
• The average ransom demand on legal entities is just under $2.5 million.
• Black Basta conducted the highest number of attacks in recent years with three attacks so far for 2024 and 10 attacks in 2023. LockBit carried out nine attacks in 2023 while ALPHV/BlackCat and Darkside dominated in 2022 and 2021, respectively.

The researchers highlighted that the report only focused on publicly confirmed ransomware attacks, warning that the findings “only scratch the surface.”