51
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
52
53
54
55
56
Sneaky Amazon Google ad leads to Microsoft support scam
A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser.
Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results.
The advertisement shows Amazon's legitimate URL, just like in the company's typical search result, as shown below.
Fake Amazon ad in Google search results
Source: BleepingComputer
However, clicking on the Google ad will redirect the person to a tech support scam pretending to be an alert from Microsoft Defender stating that you are infected with the ads(exe).finacetrack(2).dll malware.
Tech support scam from fake Amazon ad
Source: BleepingComputer
These tech support scams will automatically go into full-screen mode, making it hard to get out of the page without terminating the Google Chrome process.
However, when Chrome is terminated in this way, on the relaunch, it will prompt users to restore the previously closed pages, reopening the tech support scam.
A demonstration of today's fake Amazon Google ad leading to the tech support scam site can be seen below.
<iframe allowfullscreen frameborder="0" height="360" mozallowfullscreen src="https://player.vimeo.com/video/856479643" webkitallowfullscreen width="640">
In June 2022, Malwarebytes discovered a legitimate-looking YouTube ad that also used the platform's URL, leading to the same tech support scam.
It's unclear why Google allows advertisers to impersonate other companies' URLs to create these convincing advertisement scams.
Google ads abused to distribute malware
BleepingComputer reached out to both Google and Amazon regarding this malvertising but has not received a response at the time of this publication.
Google advertisements have been heavily abused over the past year by other threat actors to distribute malware, which sometimes leads to ransomware attacks.
The threat actors would create replicas of legitimate sites but swap the download links to distribute trojanized programs that install malware.
The Royal ransomware operation also creates Google advertisements promoting malicious sites that install Cobalt Strike beacons. These beacons are used to provide initial access to corporate networks to conduct ransomware attacks.
57
58
59
60
61
62
63
64
Ongoing Duo outage causes Azure Auth authentication errors
Cisco-owned multi-factor authentication (MFA) provider Duo Security is investigating an ongoing outage that has been causing authentication failures and errors starting three hours ago.
The outage also led to Core Authentication Service issues across multiple Duo servers, triggering Azure Auth authentication errors for Azure Conditional Access integrations in a systemwide outage.
While the Azure Auth issue auto-resolved, customers are still reporting experiencing problems (including authentication slowness and failures when logging in.
Some users also see "System under heavy load. Please wait a few minutes and try again." errors when trying to sign in using Duo, according to reports on the outage tracking site DownDetector.
"We are currently investigating authentication errors on DUO1 and are working to correct the issue as soon as possible," the company said in an incident report filed over three hours ago.
We are continuing to work towards a resolution for these errors," Duo added 30 minutes ago following a previous update saying that it had "identified the issue causing authentication slowness and failures to load the Duo Prompt and are working toward resolution."
Ongoing Duo outage
According to the company's status page, Duo's cloud-hosted single sign-on (SSO) and push delivery services are currently affected by major outages.
On the other hand, its HTTPS (TCP/443) and LDAP(S) (TCP/389) endpoints used by its Core Authentication Service were only hit by what Duo describes as a partial outage.
Duo's MFA, SSO, remote access, device trust, and access control services are used by over 40,000 customers, ranging from small and medium businesses to state, local, and federal government agencies.
This is a developing story...
65
66
67
Ivanti warns of new actively exploited MobileIron zero-day bug
US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.
Ivanti Sentry (formerly MobileIron Sentry) functions as a gatekeeper for enterprise ActiveSync servers like Microsoft Exchange Server or backend resources such as Sharepoint servers in MobileIron deployments, and it can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.
Discovered and reported by security researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).
This is possible after they bypass authentication controls by taking advantage of an insufficiently restrictive Apache HTTPD configuration.
Successful exploitation allows them to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior.
Ivanti advised admins not to expose MICS to the Internet and restrict access to internal management networks.
"As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM," Ivanti said.
"Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for all supported versions. We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version," the company added.
Ivanti provides detailed information on applying the Sentry security updates onto systems running supported versions in this knowledgebase article.
Other Ivanti bugs exploited in attacks since April
Since April, state-sponsored hackers have exploited two additional security vulnerabilities within Ivanti's Endpoint Manager Mobile (EPMM), previously known as MobileIron Core.
One of them (tracked as CVE-2023-35078) is a significant authentication bypass that was abused as a zero-day to breach the networks of various governmental entities in Norway.
The vulnerability can also be chained with a directory traversal flaw (CVE-2023-35081), granting threat actors with administrative privileges the ability to deploy web shells onto compromised systems.
"Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency's network," CISA said in an advisory published in early August.
The CISA joint advisory with Norway's National Cyber Security Centre (NCSC-NO) followed orders issued earlier this month asking U.S. federal agencies to patch the two actively exploited flaws by August 15 and August 21.
One week ago, Ivant also fixed two critical stack-based buffer overflows tracked as CVE-2023-32560 in its Avalanche software, an enterprise mobility management (EMM) solution, that could lead to crashes and arbitrary code execution following exploitation.
68
Japanese watchmaker Seiko breached by BlackCat ransomware gang
The BlackCat/ALPHV ransomware gang has added Seiko to its extortion site, claiming responsibility for a cyberattack disclosed by the Japanese firm earlier this month.
Seiko is one of the world's largest and most historic watchmakers, with roughly 12,000 employees and an annual revenue that surpasses $1.6 billion.
On August 10th, 2023, the company published a notice of a data breach informing that an unauthorized third-party gained access to at least a part of its IT infrastructure and accessed or exfiltrated data.
"It appears that [on July 28, 2023] some as-yet-unidentified party or parties gained unauthorized access to at least one of our servers," reads Seiko's announcement.
"Subsequently, on August 2nd, we commissioned a team of external cybersecurity experts to investigate and assess the situation."
"As a result, we are now reasonably certain that there was a breach and that some information stored by our Company and/or our Group companies may have been compromised."
Seiko apologized to the potentially impacted customers and business partners and urged them to be vigilant against email or other communication attempts potentially impersonating Seiko.
BlackCat assuming responsibility
Today, the BlackCat ransomware group claimed to be behind the attack on Seiko, posting samples of data that they claim to have stolen during the attack.
In the listing, the threat actors mock Seiko's IT security and leak what appear to be production plans, employee passport scans, new model release plans, and specialized lab test results.
Most worryingly, the threat actors have leaked samples of what they claim are confidential technical schematics and Seiko watch designs.
Seiko listed on ALPHV website
Source: BleepingComputer
This indicates that BlackCat very likely possesses drawings that showcase Seiko internals, including patented technology, which would be damaging to publish and expose to competitors and imitators.
BlackCat is one of the most advanced and notorious ransomware gangs actively targeting the enterprise, constantly evolving its extortion tactics.
For example, the group was the first to use a clearweb website dedicated to leaking data for a particular victim and, more recently, created a data leak API, allowing for easier distribution of stolen data.
BleepingComputer has contacted Seiko for additional comments on the threat actor's claims, but we have not received a response by publication time.
69
70
71
72
1
Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer
(www.securityweek.com)
73
74
1
Tenable Cyber Watch: White House Tackles Cyber Skills Shortage, Cost of Data Breaches Keeps Rising, and more
(www.tenable.com)
Tenable Cyber Watch: White House Tackles Cyber Skills Shortage, Cost of Data Breaches Keeps Rising, and more
Interested in how the White House plans to tackle the cybersecurity skills shortage? Want to know how you can reduce the cost of a data breach? Looking for security guidance for 5G network slicing?
We’ve got you covered in this week’s edition of the Tenable Cyber Watch, our weekly video news digest highlighting three cybersecurity topics that matter right now.
Here’s what’s happening in cyber. Today, we’re sharing:
- White House tackles cyber skills shortage
- IBM: Data breach costs keep rising
- NSA and CISA offer security guidance for 5G network slicing
Every Monday at 9am ET, the Tenable Cyber Watch brings you cybersecurity news you can use. Watch this week’s episode below and subscribe to our playlist on YouTube.
75
1
Australian Lender Latitude Financial Reports AU$76 Million Cyberattack Costs
(www.securityweek.com)