22 June 2018
New Phishing Scam Reels in Netflix Users to TLS-Certified Sites
Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates. Johannes Ullrich, Security Researcher, said Wednesday that there’s been an uptick in Netflix phishing mails using TLS-certified sites. The bad actors behind the attacks will take advantage of unpatched installs or plugins, or weak passwords, to compromise usual-suspect CMS software, like WordPress or Drupal, said Ullrich. From there, they can create phishing sites that could be mistaken for real Netflix domains. In some cases, they’re using wildcard DNS records. “With a wildcard DNS record, *anything.domain.com will point to the same IP address,” the researcher said in a post. “The attacker will just use a subdomain/hostname to launch the attack. But I have also seen them use specific domain names registered for the phish.” The attacker can then obtain a TLS certificate for a host name that is Netflix-related, such as netflix.domain.com or netflix.login.domain.com; this helps the site evade being flagged by safe-browser software.
South Korea’s biggest cryptocurrency exchange Bithumb Hacked
South Korea’s biggest cryptocurrency exchange Bithumb is scrambling to protect users funds after a large scale hack. Initial reports from the Yonhap new agency indicate that over $30 million worth of cryptocurrencies were stolen during a cyber attack on June 19. Cointelegraph Japan was informed that the hot wallet was hacked during the night and cryptocurrency stolen included Ripple. Once the exchange was made aware of the attack, it froze deposit and withdrawal services. Bithumb has already assured customers affected by the hack will be compensated for their losses.
Hackers Try to Infect Computers That Control Satellites
Orbital satellites have become a new target for hackers using China-based computers. The mysterious group has been trying to breach satellite communications operators as part of a global cyberespionage campaign, according to security firm Symantec. The apparent aim: to take over computers installed with software that can monitor and control the satellites. "The hackers had access to satellite systems, meaning they could have done actual damage if they wanted to," Symantec analyst Jon DiMaggio told PCMag. "They only collected info this time, but we can't sit here and say they wouldn't sabotage the systems in the future." The hacking group, dubbed Thrip, has also been found targeting a geospatial imaging provider, a defense contractor in the US, and three telecommunication operators based in Southeast Asia, Symantec said in a Tuesday report. Thrip has been active since at least 2013 and been involved in other spying campaigns orchestrated from China. The group's most recent attacks specifically used three computers in the country, according to Symantec. However, the security firm stopped short of blaming the Chinese government for the hacks. Theoretically, anyone could've compromised the three computers, and exploited them as a launching pad to wage the cyberspying campaign. Symantec noticed the attacks in January, when the company's security software triggered an alert at a "large telecoms operator" in Southeast Asia. During the incident, the group was attempting to install a piece of malware on the victim's network, which exposed the hackers' tactics to Symantec researchers.
Script kiddie goes from 'Bitcoin Baron' to 'Lockup Lodger' after DDoSing 911 systems
A 23-year-old Arizona man was thrown in the cooler this week after he admitted being the not-quite-infamous website-rattling "Bitcoin Baron". Randall Charles Tucker was given a 20-month sentence Tuesday after pleading guilty earlier this year to one count of felony intentional damage to a protected computer. He had faced as many as 41 months. The man had been charged with running a March 2015 distributed denial-of-service (DDoS) attack that had rendered the US city of Madison Wisconsin's government networks inaccessible various times over a five day period. According to his indictment [PDF], Tucker operated in 2015 as a quasi-hacktivist calling himself the Bitcoin Baron. He performed a string of DDoS assaults, demanding a ransom to end the waves of junk network traffic, against three cities (Chandler and Mesa, Arizona, in addition to Madison) as well as against a news network that refused to post a video he made claiming credit for the attacks.
Microsoft Edge Bug Exposes Content From Other Sites via HTML5 Audio Tag
A weird Edge bug that was fixed earlier this month, allows a malicious website to retrieve content from other sites by playing audio files in a malformed manner that produces unintended consequences. Jake Archibald, the Google developer who discovered this bug said "when you visit my site in Edge, I could read your emails, I could read your Facebook feed, all without you knowing." The bug occurs when a malicious site uses service workers to load multimedia content inside an < audio > tag from a remote site, while also using the "range" parameter to load just a specific section of that file. Archibald says that because of inconsistencies in how browsers treat files loaded via service workers inside audio tags, it is possible to load any content inside the malicious site. Under normal circumstances, this wouldn't be possible because of CORS —Cross-Origin Resource Sharing— a browser security feature that prevents sites from loading resources from other sites. But in this weird configuration, the attacker's site is able to issue "no-cors" requests that the receiving site —such as Facebook, Gmail, or BBC— will honor without any problems. This allows the attacking site to load content hidden behind authentication procedures, content that no online service in its right mind would allow to be loaded on random domains.
Mylobot Botnet Emerges with Rare Level of Complexity
An unusual botnet dubbed Mylobot has emerged, percolating up from the Dark Web – and displaying a never-before-seen level of complexity in terms of the sheer breadth of its various tools, especially evasion techniques. According to an analysis posted on Tuesday by Tom Nipravsky, a security researcher for Deep Instinct, Mylobot’s bag of tricks is bursting at the seams. These include anti-VM, anti-sandbox and anti-debugging techniques; wrapping internal parts with an encrypted resource file; code injection; process hollowing (where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden); reflective EXE, which involves executing EXE files directly from memory, without having them on disk; and, it also has a delaying mechanism of 14 days before accessing its C&C servers.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.