Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Servers running the open source Asterisk communication software for Digium VoiP services are under attack by hackers who are managing to commandeer the machines to install web shell interfaces that give the attackers covert control, researchers have reported.

Researchers from security firm Palo Alto Networks said they suspect the hackers are gaining access to the on-premises servers by exploiting CVE-2021-45461. The critical remote code-execution flaw was discovered as a zero-day vulnerability late last year, when it was being exploited to execute malicious code on servers running fully updated versions of Rest Phone Apps, aka restapps, which is a VoiP package sold by a company called Sangoma.

The vulnerability resides in FreePBX, the world's most widely used open source software for Internet-based Private Branch Exchange systems, which enable internal and external communications in organizations' private internal telephone networks. CVE-2021-45461 carries a severity rating of 9.8 out of 10 and allows hackers to execute malicious code that takes complete control of servers.

Now, Palo Alto Networks said hackers are targeting the Elastix system used in Digium phones, which is also based on FreePBX. By sending servers specially crafted packets, the threat actors can install web shells, which give them an HTTP-based window for issuing commands that normally should be reserved for authorized admins.

"As of this writing, we have witnessed more than 500,000 unique malware samples of this family over the period spanning from late December 2021 till the end of March 2022," Palo Alto Networks researchers Lee Wei, Yang Ji, Muhammad Umer Khan, and Wenjun Hu wrote. "The malware installs multilayer obfuscated PHP backdoors to the web server's file system, downloads new payloads for execution and schedules recurring tasks to re-infect the host system. Moreover, the malware implants a random junk string to each malware download in an attempt to evade signature defenses based on indicators of compromise (IoCs)."
 
NSO Group's Pegasus spyware was used to target Thai pro-democracy protesters and leaders calling for reforms to the monarchy. "We forensically confirmed that at least 30 individuals were infected with NSO Group's Pegasus spyware," reports Citizen Lab. "The observed infections took place between October 2020 and November 2021." Here's an excerpt from the report: Introduction: Surveillance & Repression in Thailand: The Kingdom of Thailand is a constitutional monarchy with a parliamentary-style government divided into executive, legislative, and judiciary branches. The country has been beset by intense political conflict since 2005, during the government of former Prime Minister Thaksin Shinawatra. Corruption allegations against the regime culminated in a military coup on September 19, 2006 that ousted Thaksin. The military launched another coup on May 22, 2014 and seized power following mass protests against the civilian government led by Thaksin's sister, Yingluck Shinawatra. The junta claimed that the 2014 coup was needed to restore order and called itself the National Council for Peace and Order (NCPO).

Findings: Pegasus Infections in Thailand: On November 23, 2021, Apple began sending notifications to iPhone users targeted by state-backed attacks with mercenary spyware. The recipients included individuals that Apple believes were targeted with NSO Group's FORCEDENTRY exploit. Many Thai civil society members received this warning. Shortly thereafter, multiple recipients of the notification made contact with the Citizen Lab and regional groups. In collaboration with Thai organizations iLaw and DigitalReach, forensic evidence was obtained from notification recipients, and other suspected victims, who consented to participate in a research study with the Citizen Lab. We then performed a technical analysis of forensic artifacts to determine whether these individuals were infected with Pegasus or other spyware. Victims publicly named in this report consented to be identified as such, while others chose to remain anonymous, or have their cases described with limited detail.

Civil Society Pegasus Infections: We have identified at least 30 Pegasus victims among key civil society groups in Thailand, including activists, academics, lawyers, and NGO workers. The infections occurred from October 2020 to November 2021, coinciding with a period of widespread pro-democracy protests, and predominantly targeted key figures in the pro-democracy movement. In numerous cases, multiple members of movements or organizations were infected. Many of the victims included in this report have been repeatedly detained, arrested, and imprisoned for their political activities or criticism of the government. Many of the victims have also been the subject of lese-majeste prosecutions by the Thai government. While many of the infections were detected on the devices of prominent figures, hacking was also observed against individuals who are not publicly involved in the protests. Speculatively, this may reflect the attackers' intent to uncover details about how opposition movements were organized, and may have been prompted by specific financial transactions that would have been known to Thai financial institutions and the government, but not the public.
 
injected-code.png

Despite the efforts to keep CVE-2022-2294 secret, Avast managed to recover the attack code, which exploited a heap overflow in WebRTC to execute malicious shellcode inside a renderer process. The recovery allowed Avast to identify the vulnerability and report it to developers so it could be fixed. The security firm was unable to obtain a separate zero-day exploit that was required so the first exploit could escape Chrome's security sandbox. That means this second zero-day will live to fight another day.

Once DevilsTongue got installed, it attempted to elevate its system privileges by installing a Windows driver containing yet another unpatched vulnerability, bringing the number of zero-days exploited in this campaign to at least three. Once the unidentified driver was installed, DevilsTongue would exploit the security flaw to gain access to the kernel, the most sensitive part of any operating system. Security researchers call the technique BYOVD, short for "bring your own vulnerable driver." It allows malware to defeat OS defenses since most drivers automatically have access to an OS kernel.

Avast has reported the flaw to the driver maker, but there's no indication that a patch has been released. As of publication time, only Avast and one other antivirus engine detected the driver exploit.

Since both Google and Microsoft patched CVE-2022-2294 in early July, chances are good that most Chrome and Edge users are already protected. Apple, however, fixed the vulnerability on Wednesday, meaning Safari users should make sure their browsers are up to date.
 
lightning-framework-diagram.png

The software framework has become essential to developing almost all complex software these days. The Django Web framework, for instance, bundles all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay at companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions like logging and authentication shared across an app ecosystem.

Last week, researchers from security firm Intezer revealed the Lightning Framework, a modular malware framework for Linux that has gone undocumented until now. Lightning Framework is post-exploit malware, meaning it gets installed after an attacker has already gained access to a targeted machine. Once installed, it can provide some of the same efficiencies and speed to Linux compromises that Django provides for web development.

“It is rare to see such an intricate framework developed for targeting Linux systems,” Ryan Robinson, a security researcher at Intezer, wrote in a post. “Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins.”
 
The Infrastructure Investment and Jobs Act, as passed by Congress last November, authorizes $7.5 billion to help meet US President Joe Biden's goal of installing 500,000 stations by 2030. Biden aims to have EVs represent half of all new vehicles being sold in the US by 2030. But as the number of stations increases, the number of vulnerabilities does as well.

For the past several years, hackers have been busy aiming their attacks at electrical system vulnerabilities. In the case of charging stations, some of these soft spots are located inside the stations; some are located inside the equipment that controls connections between the grid and the station; and still, others are inside assets that sit on the grid side of the relationship, and these are mostly owned by utilities. Europe-based wind power companies (Deutsche Windtechnik AG, Enercon GmbH, and Nordex SE) have suffered attacks focused on stopping the flow of electrons, identity theft attacks, and stolen payments. In most cases, the results can be service disruptions affecting customers and revenue reductions for the providers of electrons and/or asset owners.

Hackers perpetually seek out ways to use any and all system vulnerabilities to their maximum advantage. This is a problem for the consumer, just as it is for commercial enterprises. Added to the stresses created by several types of hacker disruptions—physical destruction; electronic jamming; creating a "Denial of Service"—are concerns about weak control systems. From his perch at PlugInAmerica.org, Ron Freund worries that the existing supervisory control and data acquisition hardware is primate.

"It doesn't handle the simple faults gracefully, and is not reliable, much less scalable. But it also is not yet on the Internet, so is inaccessible (for the most part). In fact, it's scary how primitive some of these systems still are," Freund told me.
 
Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote:

In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.

Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF.
 
The advent of public key encryption in the 1970s was a major breakthrough because it allowed parties who had never met to securely trade encrypted material that couldn’t be broken by an adversary. Public key encryption relies on asymmetric keys, with one private key used to decrypt messages and a separate public key for encrypting. Users make their public key widely available. As long as their private key remains secret, the scheme remains secure.

In practice, public key cryptography can often be unwieldy, so many systems rely on key encapsulation mechanisms, which allow parties who have never met before to jointly agree on a symmetric key over a public medium such as the Internet. In contrast to symmetric-key algorithms, key encapsulation mechanisms in use today are easily broken by quantum computers. SIKE, before the new attack, was thought to avoid such vulnerabilities by using a complex mathematical construction known as a supersingular isogeny graph.

The cornerstone of SIKE is a protocol called SIDH, short for Supersingular Isogeny Diffie-Hellman. The research paper published over the weekend shows how SIDH is vulnerable to a theorem known as “glue-and-split” developed by mathematician Ernst Kani in 1997, as well as tools devised by fellow mathematicians Everett W. Howe, Franck Leprévost, and Bjorn Poonen in 2000. The new technique builds on what’s known as the “GPST adaptive attack,” described in a 2016 paper. The math behind the latest attack is guaranteed to be impenetrable to most non-mathematicians. Here’s about as close as you’re going to get:

“The attack exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known,” Steven Galbraith, a University of Auckland mathematics professor and the “G” in the GPST adaptive attack, explained in a short writeup on the new attack. “The auxiliary points in SIDH have always been an annoyance and a potential weakness, and they have been exploited for fault attacks, the GPST adaptive attack, torsion point attacks, etc.
jUvpZxX.jpg
 
An anonymous reader quotes a report from Forbes:

According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system.


The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.
 
In mid-July, a cyberattack on the Albanian government knocked out state websites and public services for hours. With Russia’s war raging in Ukraine, the Kremlin might seem like the likeliest suspect. But research published on Thursday by the threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s espionage operations and digital meddling have shown up all over the world, Mandiant researchers say that a disruptive attack from Iran on a NATO member is a noteworthy escalation.

The digital attacks targeting Albania on July 17 came ahead of the “World Summit of Free Iran,” a conference scheduled to convene in the town of Manëz in western Albania on July 23 and 24. The summit was affiliated with the Iranian opposition group Mujahadeen-e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated MEK, PMOI, or MKO). The conference was postponed the day before it was set to begin because of reported, unspecified “terrorist” threats.

Mandiant researchers say that attackers deployed ransomware from the Roadsweep family and may have also utilized a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and activity from actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.
 
Beijing-backed cyberspies used specially crafted phishing emails and six different backdoors to break into and then steal confidential data from military and industrial groups, government agencies and other public institutions, according to Kaspersky researchers.

We're told the security shop's industrial control systems (ICS) response team initially detected a series of targeted attacks back in January that compromised more than a dozen of organizations in several Eastern European countries, including Belarus, Russia, and Ukraine, and Afghanistan.

"The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions," the team wrote in a report published on Monday.

Kaspersky attributed the attacks "with a high degree of confidence" to Chinese cybercrime gang TA428, which has a history of targeting East Asian and Russian military and research institutes.

The ICS research team identified malware and command-and-control servers based in China, and added that this more recent series of attacks is "highly likely" to be an extension of an ongoing cyberespionage campaign, previously spotted by other research teams.

They also sound very similar to another campaign, dubbed Twisted Panda, carried out by Chinese cyberspies and targeting Russian defense institutes, uncovered by Check Point Research in May.

According to Kaspersky, the miscreants gained access to the enterprise networks via phishing emails, some of which included organization-specific information that wasn't publicly available.

"This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees, or on other organizations or individuals associated with the victim organization)," the researchers explained.

Presumably, because these specially-crafted attacks included confidential information about the victim org, it was easier for the attackers to trick some employees into opening the email — and a Microsoft Word document attached to it. The Word doc contained malicious code, which exploited the CVE-2017-11882 vulnerability to deploy PortDoor malware on the infected machine without any additional user activity. For example, the user didn't need to enable macros, as is typical in these types of attacks.

PortDoor malware is a relatively new backdoor believed to be developed by Chinese state-sponsored groups that was also used in a 2021 phishing attack against a Russian-based defense contractor that designs nuclear submarines for the Russian Federation's Navy.

Kaspersky says its team IDed a new version of PortDoor that establishes persistence, then collects information on the infected computer, and can be used to control the system remotely while installing additional malware.

In addition to PortDoor, attackers used six other backdoors to control the infected systems and steal confidential data. Some of these (nccTrojan, Logtu, Cotx, and DNSep) have been previously attributed to TA428. However, a sixth backdoor, dubbed CotScam, is new, according to Kaspersky.
 
cloudflare-phishing-attack-640x223.png

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.
 
Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services.

Twilio reported a breach after employees received phishing text messages claiming to be from the company's IT department. These fooled them into logging into a fake web page designed to look like Twilio's own sign-in page, using pretexts such as claiming they needed to change their passwords. The attackers were then able to use credentials supplied by the victims to log into the real site.

According to Cloudflare, it recorded a very similar incident late last month, which could suggest the two attacks may have originated from the same attacker or group.

Detailing the incident on its blog, the content delivery network claimed that no Cloudflare systems were compromised, but said it was "a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached."

In Cloudflare's case, its security team first started receiving reports on July 20 that employees got text messages containing a link to what appeared to be a Cloudflare Okta login page (Cloudflare uses Okta's identity and access management services internally).

Although the incident started late in the evening, Cloudflare said it operates a 24x7 Security Incident Response Team (SIRT), and has trained its employees to report anything that looks suspicious to the SIRT to investigate. The vast majority of reports turn out to be false alarms, but in this case it appears at least 76 company employees received the phishing messages within the space of a single minute.

The sophistication of the attack can be gauged by the fact that the URL in the text messages linked to a domain (cloudflare-okta.com) appeared to be legitimate, and had not been picked up by the company's monitoring systems. Cloudflare has systems to watch for domains being registered with its name and get them shut down, but in this case the domain had been registered less than 40 minutes before the phishing messages were sent, and so it had not yet been detected.

As with the Twilio incident, the fake Cloudflare Okta login page prompted any employee who visited it for their username and password. Alerted by their employees contacting SIRT, Cloudflare was able to analyze the payload of the phishing attack based on the message employees received, as well as what was posted to services like VirusTotal by other companies that had been victims of similar attacks.
 
The designs of IoT service platforms aren’t specified in the 5G standard and are up to each carrier and company to create and deploy. That means there's widespread variation in their quality and implementation. In addition to 5G, upgraded 4G networks can also support some IoT expansion, widening the number of carriers that may offer IoT service platforms and the APIs that feed them.

The researchers bought IoT plans on the 10 carriers they analyzed and got special data-only SIM cards for their networks of IoT devices. This way, they had the same access to the platforms as any other customer in the ecosystem. They found that basic flaws in how the APIs were set up, like weak authentication or missing access controls, could reveal SIM card identifiers, SIM card secret keys, the identity of who purchased which SIM card, and their billing information. And in some cases, the researchers could even access large streams of other users' data or even identify and access their IoT devices by sending or replaying commands that they shouldn’t have been able to control.

The researchers went through disclosure processes with the 10 carriers they tested and said that the majority of vulnerabilities they found so far are being fixed. Shaik notes that the quality of security protections on the IoT service platforms varied widely, with some appearing more mature while others were “still sticking to the same old bad security policies and principles.” He adds that the group isn't publicly naming the carriers they looked at in this work because of concerns about how widespread the issues might be. Seven of the carriers are based in Europe, two are in the US, and one is in Asia.

“We found vulnerabilities that could be exploited to access other devices even though they don’t belong to us, just by being on the platform,” Shaik says. “Or we could talk to other IoT devices and send messages, extract information. It’s a big issue.”
 
There's too much concentration on a single point of failure as an explanation for security failing, she said, but that's almost never the case. When a security system fails massively, like in the case of the Equifax hack, the point of blame is too often a single or small group of employees who are fired and too many people see that as the end of the job.

But when an aircraft crashes professional investigators spend time going over the incident to backtrace what exactly went wrong and why, and then advises all those people and companies involved of the findings, so they can be addressed. The same needs to happen in security, she argues.

To that end the two have now released the Major Cyber Incident Investigations Playbook, which is based on Harvard research and provides a structured format to log facts about a security incident, that can be analyzed and shared. The results can then be fed back to organizations to implement and fix long-term issues rather than relying on spot fixes.
 
The text message that dragged Thanasis Koukakis into what’s being called Europe’s Watergate scandal was so innocuous, he can barely remember receiving it. The Athens-based financial journalist received the note on his black iPhone 12 Pro on July 12 last year from a Greek number he didn’t have saved. That wasn’t unusual for Koukakis, who has spent the past three years investigating the changes the government has been making to financial crime regulation. He gets a lot of messages—both from numbers he’s saved and those he hasn’t. This one addressed him directly. “Thanasis,” it read, “Do you know about this issue?” Koukakis clicked on the link that followed, which took him to a news story about a Greek banking scandal. He replied with a terse: “No.”

Koukakis, 44, did not think about the message until months later. In the days that followed, he was oblivious to the fact that the website that hosted the story he was sent had disappeared. He also did not know that by clicking on that link, he had opened an invisible door inside his phone, allowing spyware software called Predator to creep in to silently watch the messages and calls he was sending and receiving.

His phone kept working as if everything was normal, he says. Then, in December, Koukakis read a report about how Facebook parent company Meta had detected commercial spyware being used by customers in 10 different countries, including Greece. One of the links used to trick people into downloading the spyware was designed to look like CNN Greece—where he worked as an editor.
 
Google says it has blocked the largest ever HTTPS-based distributed-denial-of-service (DDoS) attack in June, which peaked at 46 million requests per second.

To put things in perspective, this is about 76 percent larger than the previous record DDoS attack that Cloudflare thwarted earlier that same month.

As Googlers Emil Kiner and Satya Konduru explain: "That is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds."

These types of security events flood target organizations' networks with junk traffic, which makes it impossible for them to conduct legitimate business online.

Not only is this the third such record-breaking DDoS flood in the past few months – this includes two earlier HTTPS-based attacks blocked by Cloudflare in April and June – but it comes as Google and other security researchers warn that network-flooding events are getting worse, growing in size and frequency.
Google provided a timeline for what happened on June 1.

The attack began around 09:45 PT (16:45 UTC), with more than 10,000 requests per second (rps) targeting one of its customers' HTTP(S) Load Balancers. Just eight minutes later, the attack grew to 100,000 rps. Two minutes after that, it hit its peak of 46 million rps.

By then, Google says its Cloud Armor Adaptive Protection service had already detected the attack, generated an alert, and recommended a rule to block the malicious signature, which the customer had deployed into its security policy.

After that, the attack started to dwindle, ending at 10:54 PT (17:54 UTC), according to Kiner and Konduru. "Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack."

reflect ddos
 
The LockBit ransomware group last week claimed responsibility for an attack on cybersecurity vendor in June. The high-profile gang is now apparently under a distributed denial-of-service (DDoS) because of it.

Azim Shukuhi, a cybersecurity researcher with Cisco's Talos threat intelligence group, wrote in a tweet over the weekend that "someone is DDoSing the Lockbit blog hard right now."

LockBitSupp, the public face of LockBit that interacts with companies and cybersecurity researchers, told Shukuhi that the group's data leak site was getting 400 requests a second from more than 1,000 servers and that the group promised to add more resources to the site and to "drain the ddosers money," he wrote.

Vx-underground, which collects malware source code and samples, wrote in a tweet that LockBit told them they were under a DDoS attack because of the Entrust hit. When Vx-underground asked how the ransomware gang knew it was because of the Entrust attack, LockBit sent a screenshot of the messages coming in, all of which referenced enstrust.com.
 
Two weeks ago, Twilio and Cloudflare detailed a phishing attack so methodical and well-orchestrated that it tricked employees from both companies into revealing their account credentials. In the case of Twilio, the attack overrode its 2FA protection and gave the threat actors access to its internal systems. Now, researchers have unearthed evidence the attacks were part of a massive phishing campaign that netted almost 10,000 account credentials belonging to 130 organizations.

Based on the revelations provided by Twilio and Cloudflare, it was already clear that the phishing attacks were executed with almost surgical precision and planning. Somehow, the threat actor had obtained private phone numbers of employees and, in some cases, their family members. The attackers then sent text messages that urged the employees to log in to what appeared to be their employers' legitimate authentication page.

In 40 minutes, 76 Cloudflare employees received the text message, which included a domain name registered only 40 minutes earlier, thwarting safeguards the company has in place to detect sites that spoof its name. The phishers also used a proxy site to perform hijacks in real time, a method that allowed them to capture the one-time passcodes Twilio used in its 2FA verifications and enter them into the real site. Almost immediately, the threat actor used its access to Twilio's network to obtain phone numbers belonging to 1,900 users of the Signal Messenger.
 
Back
Top