Hello and welcome to GlobalSign's re-cap of the week's top cybersecurity stories. Let's dive in!
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory regarding Russian state-sponsored hackers. The organizations say the hackers have found a way to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. According to the advisory, the actors "exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' (CVE-2021-34527) to run arbitrary code with system privileges."
Israel was impacted on Monday by a Distributed Denial of Service (DDoS) attack that took some government sites offline temporarily. A statement issued by Israel's National Cyber Directorate said that services were back online within a few hours, though observers such as NetBlocks reported that some government websites were inaccessible outside of the country. Unconfirmed reports allege that Iran’s Islamic Revolutionary Guard Corp was behind the attack.
Researchers at cyber intelligence company Prevailion say that Naver, the South Korean equivalent of Google, is being used for large-scale phishing activity and the cybercrime group responsible is likely WIZARD SPIDER. WIZARD SPIDER (aka UNC1878) is known for Trickbot and other malicious Remote Access Trojans (RATs). The Prevailion team says the phishing operation targeted at Naver users uses at least 500 domains to steal credentials. The researchers discovered that WIZARD SPIDER was using an email address to register a set of domain names that resolved to a single IP address.
Another tough week for Meta, the parent company of Facebook. Meta was fined $18.6M after several 2018 breaches of EU’s General Data Protection Regulation (GDPR.) The Irish Data Protection Commission handed out the fine. The security lapses affected up to 30 million Facebook users.
Microsoft announced that its Azure DevOps team needed to partially rollback the previous release of TLS 1.0/1.1 deprecation that was run on Jan 31st, 2022. Microsoft says this was due to unexpected issues caused by the change. Here’s a link to a previous Microsoft blog post related to that release.
Cybersecurity firm Zimperium's annual mobile threats report says data from its services shows that nearly a quarter of mobile devices encountered malware last year, while 13% had their data intercepted by a machine-in-the-middle attack and 12% were directed to a malicious website. Survey data also showed the volume of mobile threats is increasing and attackers are growing more sophisticated, with almost a third of zero-day attacks now targeting mobile devices.
That's all for this week. Wishing everyone a great weekend.
Top Global Security News
ZDNet (March 16, 2022) CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO
Russian state-sponsored hackers have used a clever technique to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. The goal? Accessing the victim's cloud and email.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about Russian state-sponsored activity that pre-dates recent warnings over cyber activity related to Russia's military invasion of Ukraine.
As early as May 2021, the hackers combined a default configuration issue in a Duo MFA setup at a non-government organization (NGO) with the critical Windows 10 PrintNightmare flaw CVE-2021-34481 to compromise it.
Bleeping Computer (March 15, 2022) Massive phishing campaign uses 500+ domains to steal credentials
Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet.
The resources used for this attack show the sheer size of the cybercriminal effort to collect login data to be used in various attacks.
Similar to Google, Naver provides a diverse set of services that range from web search to email, news, and the NAVER Knowledge iN online Q&A platform.
Security researchers at cyber intelligence company Prevailion earlier this year identified a massive phishing operation focused on collecting credentials of Naver users.
The researchers linked 542 unique domains to the operation, 532 of them being used for Naver-themed phishing. They noticed that the operator would use an email address to register a set of domain names that resolved to a single IP address.
TechCrunch (March 15, 2022) Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR
Facebook’s parent company, Meta, has been fined €17 million (~$18.6 million) by the Irish Data Protection Commission (DPC) over a string of historical data breaches.
The security lapses in question, which appear to have affected up to 30 million Facebook users, date back several years — and had been disclosed by Facebook to the Irish regulator in 2018.
The DPC, which is Meta/Facebook’s lead privacy regulator in the European Union, opened this security-related inquiry in late 2018 after it received no less than 12 data breach notifications from the tech giant in the six-month period between June 7, 2018 and December 4, 2018.
The Register (March 15, 2022) Microsoft Azure DevOps revives TLS 1.0/1.1 with rollback
Microsoft's Azure DevOps team has undone the deprecation of outdated Transport Layer Security (TLS) that occurred at the end of January because of unspecified "unexpected issues" that arose following the change.
Last November, Rajesh Ramamurthy, director of product management for Azure DevOps, announced plans to phase out support for TLS 1.0/1.1 because of the risk of protocol downgrade attacks and other TLS vulnerabilities outside Microsoft's control.
TLS downgrade attacks aim to turn strong, more recent versions of TLS into weaker, earlier versions of the protocol to facilitate further exploitation. Some have jolly names like POODLE (Padding Oracle On Downgraded Legacy Encryption) [PDF] and SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes); others aim to be a bit more alarming with monikers like FREAK (factoring RSA export keys) and Logjam.
Dark Reading (March 14, 2022) Mobile Threats Skyrocket
In its annual mobile threats report published this week, cybersecurity firm Zimperium says data from its services shows that nearly a quarter of mobile devices encountered malware last year, while 13% had their data intercepted by a machine-in-the-middle attack and 12% were directed to a malicious website.
The rising cyber-risk comes as the attack surface area of mobile applications has grown, with more than 900 Common Vulnerabilities and Exposures (CVEs) reported in 2021 that directly affect Apple iOS or Google Android. In addition, risks have risen from the third-party components used by developers, and a variety of misconfigurations have undermined the security of the cloud services underpinning mobile applications.
The volume of mobile threats is increasing and attackers are growing more sophisticated, with almost a third of zero-day attacks now targeting mobile devices, new data shows.
CyberScoop (March 14, 2022) Denial-of-service attack knocked Israeli government sites offline
A distributed denial-of-service attack against an Israeli telecommunication provider took Israeli government sites offline temporarily on Monday, the Israel National Cyber Directorate confirmed in a tweet.
The statement said that services were back online, but internet watchdog NetBlocks reported that some government websites remained unavailable outside of the country. The Israeli Embassy did not return a request for comment. NetBlocks attributed the disruption to attacks on network suppliers Bezeq and Cellcom. The attack also disrupted non-government websites.
In a DDoS incident, attackers flood the target websites with fake traffic to render them inoperable.
Other Industry News