Archive for September 6, 2022

PhaaS, EvilProxy, With MFA Bypass Surfaced In Dark Web

Posted in Commentary with tags on September 6, 2022 by itnerd

A new Phishing-as-a-Service (PhaaS) dubbed EvilProxy, identified by Resecurity is being advertised in the Dark Web allowing cybercriminals to bypass Two-Factor security. And this revelation is making me nervous:

EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms. 

Based on the ongoing investigation surrounding the result of attacks against multiple employees from Fortune 500 companies, Resecurity was able to obtain substantial knowledge about EvilProxy including its structure, modules, functions, and the network infrastructure used to conduct malicious activity. Early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts – either with SMS or Application Token.

Brian Johnson, Chief Security Officer at Armorblox

“As Phishing-as-a-Service schemes take off in the dark web, it becomes easier for attackers to do very sophisticated campaigns to steal credentials, even while mimicking MFA. Reducing exposure to these involves eliminating targeted credential phishing attacks over email with a modern email security solution. It also needs more user awareness training around verifying 2FA notifications that they receive to ensure that it was generated based on an actual login attempt by them”.

Nick Ascoli, VP of Threat Research, PIXM 

Based on what we are seeing in other similar 2-Factor relay attacks, this relay is more sophisticated and fully automated. Seeing these techniques make their way into commodity adversary tooling and marketplaces is going to challenge the security of MFA for virtually all organizations, not just those targeted by the more sophisticated groups and APTs. Without in-browser detection and blocking of this login page, the protection of MFA is in many cases completely nullified.

This is pretty disturbing as MFA is considered to be a great way to protect yourself. As a result of this revelation, businesses may have to rethink how they protect themselves from being pwned as clearly MFA isn’t as good as we thought it was.

OVHcloud Bring Your Own IP Service Aims At Facilitating Move To Cloud

Posted in Commentary with tags on September 6, 2022 by itnerd

Following an early access period, OVHcloud is about to offer the Bring Your Own IP or BYOIP import service. As IPv4 addresses are scarce, it allows customers to import, via the OVHcloud Control Panel, their existing ranges of public IPv4 addresses to use as blocks of IP failover addresses. Thus, the move to cloud is made easier with less work required on network planning. Moreover, customers continue to benefit from the work they have already made concerning reputation management of their IP addresses. True to its principles, OVHcloud maintains reversibility; when the time comes, customers’ IPv4 addresses will be free of any vendor lock-in.

IP addresses are imported and segmented in block sizes ranging from /24 up to /19. OVHcloud also offers BYOAS to authorize importing customers AS numbers to further enhance the reputational aspect. The BYOIP service is available with Bare Metal Cloud, Hosted Private Cloud, Public Cloud products as well as vRack and IP Load Balancer.

With the convenience of monthly billing and no setup fee or commitment, the service will roll out in the coming weeks for all their datacenters under the condition of eligibility of customers’ IP addresses.

You can find out more here: OVHcloud Bring Your Own IP (BYOIP)

InterContinental Hotels Group Appears To Have Been Pwned

Posted in Commentary with tags on September 6, 2022 by itnerd

This is still a developing story. But Brian Krebs who is a go to guy when it comes to hackers, scammers, and computer security news is reporting this:

The news that the company disclosed to the London Stock Exchange doesn’t say anything useful. Thus it isn’t really clear what’s going on. From reading it, the hack seems like ransomware. But until the company decides to give an update, we can only guess.

Watch this space for more details.

The Los Angeles Unified School District Pwned By Ransomware

Posted in Commentary with tags on September 6, 2022 by itnerd

The Los Angeles Unified School District has disclosed a ransomware attack which hit its IT systems over the weekend. The school district, which more than 640,000 students K-12 enrolled, and it includes LA and LA county posted this on Twitter.:

Dr. Darren Williams, CEO and Founder of BlackFog had this to say:

     “With the education vertical typically being under funded, under resourced and in many cases reliant on antiquated cybersecurity tools to prevent cyberattacks, it’s unlikely we’ll see this change in the near future. Cybercriminals will continue to target organizations with weak cybersecurity defenses and a plethora of sensitive data they can exfiltrate and leverage for extortion. Often, we see smaller school districts being targeted, unfortunately for LAUSD, 640,000 students will undoubtedly feel the pain from this incident.”

Clearly this was timed to coincide with the return to school so that it had the maximum effect. We can expect to see more of this behaviour as clearly there’s a perceived value to ransomware gangs to executing their attacks in this manner.

Guest Post: Summer of The Scam: Key Online Scams On The Rise

Posted in Commentary with tags on September 6, 2022 by itnerd

By Hank Schless, Senior Manager of Security Solutions at Lookout

Online scammers create new and deceptive schemes every day in hopes of swindling unsuspecting victims out of their time, money and resources. Consumers reported $5.8 billion in fraud to the Federal Trade Commission last year, a 70 percent increase from 2020. Here are some of the trending scams:

  • Romance Meets Cryptocurrency: In 2021, online daters lost a record $547 million to romance scams, according to a report from the Federal Trade Commission. Scammers are now using online dating platforms to trick victims into investing in cryptocurrency accounts before disappearing with their money. It’s a months-long trust building scam known as “pig butchering.
  • SIM Swapping: This is an attack where scammers fake your identity with a mobile carrier to gain access to your phone. From there, they use “Forgot Password” for critical online accounts – think banking, investments and social media – to intercept two-factor authentication text messages. In 2021, this scam resulted in losses over $68 million and is still a very popular and effective scam today
  • Back To School Scams: In August, many parents post “first day of school” photos on social media with their child holding a chalkboard or sign with details about the child’s teacher, school, birth date, height, interests, favorite colors, etc. While it’s wonderful to share updates with friends and family, the Better Business Bureau issued a warning to families about oversharing personal information on social media due to privacy concerns and online scammers. The Federal Trade Commission also issued a warning about back-to-school shoppers being targeted by online scams. 
  • Rental Scams: This scam is not necessarily “new” and traditionally targets consumers trying to rent a home, but with the red hot rental market and usage of social media websites to advertise rental properties, this scam has regained steam. According to the FBI, 11,578 people nationwide reported losing over $350 million through rental and real estate scams in 2021 with a major uptick of victims this summer. There’s even a spinoff of this scam for vacation rentals