At a glance.
- Adversary-in-the-Middle phishing as a prelude to BEC.
- Silent card validation bot found.
- Social engineering at the ECB.
- Shields up in Berlin.
- Hacktivism as a morale-builder.
- Patch notes.
Adversary-in-the-middle sites support business email compromise.
Microsoft Security researchers have found a campaign that uses adversary-in-the-middle techniques (AiTM) to stage more effective business email compromise (BEC) attacks. Phishing messages directed victims to AiTM sites that would steal passwords and hijack sign-in sessions, skipping authentication even where multifactor authentication had been enabled. The attackers used stolen credentials and session cookies to access victims’ mailboxes for more effective and plausible BEC attacks against the victims’ colleagues. Microsoft says that more than 10,000 organizations have been affected since last September. Redmond recommends continuous monitoring, advanced anti-phishing solutions, and conditional access policies to mitigate AiTM risk.
Silent validation carding bot discovered.
PerimeterX reports that its researchers have found a new silent validation carding bot. The bot takes stolen paycard data and attempts to store it in e-retailers’ wallet pages, where, if validated and accepted, it would become a stored payment method that could be used in future fraudulent transactions. This technique enables criminals to validate a card without alerting the card’s owner to the possibility of compromise. PerimeterX says the bot was detected and stopped before any actual fraud was committed.
Attempted social engineering at the European Central Bank.
Reuters reports that unidentified threat actors tried to inveigle European Central Bank (ECB) President Christine Lagarde into giving them an authentication code for WhatsApp that would have enabled them to open an account linked to Ms Lagarde’s phone number. The attackers claimed to be former German Chancellor Angela Merkel. "We can confirm that there was an attempted cyber incident recently involving the president," an ECB spokesperson said. "It was identified and halted quickly. No information was compromised. We have nothing more to say as an investigation is ongoing."
The not-Merkel said, according to the AP, that it would be easier and more secure if they could connect with Ms Lagarde over WhatsApp. The German edition of Business Insider reports that the attackers had Ms Lagarde’s mobile number and were able to spoof Ms Merkel’s number in their smishing text. “They wanted to use the Chancellor's identity to obtain the authentication code of Lagarde's existing or new messenger service account. This is actually used to verify the link between the personal account and the cell phone number. By sharing the code, the strangers could have taken over Lagarde's account.”
Germany puts its shields up.
Aware of the potential threat of Russian cyberattacks, German authorities yesterday announced a program of increased readiness and resilience. Deutsche Welle reports that Interior Minister Nancy Faeser explained the motivation for the increased state of alert: "The sea change we are facing in view of the Russian war of aggression against Ukraine requires a strategic repositioning and significant investment in our cybersecurity.” In addition to new, secure systems for exchanging information, the government intends to promote resilience in small- and medium-sized organizations. “That would apply to ‘critical infrastructure,’ businesses involved in transport, food, health, energy and water supply.”
Hacktivism in a hybrid war.
Hacktivists in sympathy with Ukraine have conducted distributed denial-of-service attacks against Russian movie theaters. CyberNews says the attacks, regarded as a tit-for-tat response to Russian DDoS attacks by Killnet and others against Ukrainian and other sympathetic nations’ networks, have affected “Kinomax, Mori Cinema, Luxor, Almaz, and other chains,” as well as “ticket service Kinoplan.”
Obviously such campaigns aren’t war-winners. The Record reports a consensus among Ukrainian security firms that DDoS is popular because it’s easy, and that the targets selected for disruption are picked because they’re disruptable, not because they’re either high-value or high-payoff.
Ukrainian hacktivists have been more-or-less assembled into a loose umbrella group, the IT Army. The Ukrainian government says it doesn’t direct the IT Army, and indeed their opportunistic and improvisational target selection would seem to argue that their organization is pretty thin. The Record says, “This lack of planning makes sense given that IT Army is an independent group of volunteer hackers, not a trained cyber army unit. ‘We do not coordinate cyber volunteers in their attacks and have no information on any such coordination centers,’ Ukrainian security official Victor Zhora said.”
So hacktivism might be regarded as a morale-builder. “The only benefit of IT Army’s DDoS was that thousands of people came together and felt useful in their resistance against Russia,” Yegor Aushev of Cyber Unit Technologies told the Record. It’s also striking to see how commodified DDoS apps have become, freely provided and readily accessible, complete with short how-tos (and the shortest of how-tos is all that’s needed to operate them).
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
CISA releases two ICS security advisories.
On Tuesday, July 12th, the US Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control System (ICS) Advisories, one for Dahua ASI7213X-T1 ("mitigations for Improper Input Validation") and the other for Schneider Electric Easergy P5 and P3 (Update A) ("mitigation for Use of Hard-coded Credentials, Classic Buffer Overflow, and Improper Input Validation vulnerabilities in the Schneider Electric Easergy P5 medium voltage protection relay").
One addition to CISA's Known Exploited Vulnerabilities Catalog.
CISA also added an entry to its Known Exploited Vulnerabilities Catalog. The latest addition, which the Federal civilian executive agencies CISA oversees are expected to address by August 2nd, is CVE-2022-22047, a Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability. The remedy is to apply Microsoft's patch.
Patch Tuesday notes.
Yesterday was July's Patch Tuesday, and Microsoft released fixes for eighty-four issues, including the afore-mentioned CVE-2022-22047 that CISA wants US Federal agencies to take care of. SAP also patched, issuing twenty new security notes as well as three updates to earlier advisories.