Information Technology

Microsoft has turned to the court system to take down domains designed to impersonate the firm in phishing attacks.

On Monday, Microsoft’s Digital Crimes Unit (DCU) said a judge in the Eastern District of Virginia issued a court order that requires domain registrars to disable websites “used to impersonate Microsoft customers and commit fraud.” The complaint (.PDF), filed to pursue a preliminary injunction and restraining order, has been issued against “John Does,” terminology used to describe anonymous or unknown plaintiffs facing legal action.  According to the DCU, Microsoft filed the case to try and clamp down on imposter domains, also known as homoglyph-based web addresses.  In homoglyph attacks, fraudsters will use similar words, phrases, letters, numbers, or symbols to masquerade as a legitimate organization, whether this is Microsoft, Google, Facebook, PayPal, or other well-known brands.  Attackers may send phishing emails, SMS messages, or social media notes containing links to an imposter domain that asks for account credentials or which may deploy exploit kits. If visitors fail to notice the small differences in a domain that reveal it is not a trusted source, they may be more likely to become a victim.    When it comes to Microsoft, homoglyph domain examples include switching “o” for a zero — such as “micr0soft.com,” or using a lowercase “l” instead of an “i” in “mlcrosoft.com.”

“We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks,” the company said. The court case stemmed from a customer who complained about a Microsoft-related BEC scam, resulting in the discovery of at least 17 imposter domains being used to siphon account credentials.  In this case, the attackers leveraged a legitimate email sent from a compromised Office 365 customer account asking a business for advice on processing payments. The group then sent a malicious email containing a link to a homoglyph domain, urging payment to be made as quickly as possible — but, of course, the account details for a “subsidiary account” belonged to the criminals.  Microsoft says that the attackers behind the BEC scam, who appear to originate from Africa, tend to target small businesses across the US. After using a malicious domain to grab employee credentials, the scam artists may infiltrate networks and then impersonate vendors, other members of staff, or customers to try and dupe the victim company into approving fraudulent payments and fake invoices.  Microsoft hopes that the court order will further disrupt the owners of the malicious domains and will prevent them from easily shifting their infrastructure to other third-party services.  The complaint follows 23 cases brought forward by the Redmon giant since 2010. Other legal actions include complaints against malware operators and state-sponsored hacking groups.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals are taking advantage of the latest round of IRS payments being sent out to families across the US by launching dozens of credential harvesting sites masquerading as American Rescue Plan Act signup sites, according to a new report from DomainTools.Last week, the IRS began sending out the first round of child tax credit payments that were part of the larger American Rescue Plan Act passed earlier this year. The payments will be sent automatically by the IRS and require no sign-up. But cybercriminals have created a maze of associated websites all aiming to trick people into entering their personal information by pretending to be associated with the child tax credit payments, DomainTools’ Chad Anderson explained. Anderson said that by analyzing historical WHOIS information and OSINT techniques, the cybersecurity company was able to tie this specific credential harvesting scam to GoldenWaves Innovations, a web development firm based in Nigeria. ZDNet called and emailed GoldenWaves for comment but received no response. The fake sites look exactly like government websites, explain the payments in detail and ask users to “apply now.” One site, with the name “reliefcarefunds[.]com,” asks for names, addresses, social security numbers, photos of drivers licenses and even your mother’s maiden name. The credential harvesting sites are meant to look exactly like government websites. 
DomainTools
That site was connected to “americaforgivenrelieffund[.]com” and both were registered and hosted through NameCheap. DomainTools was able to tie those two sites and 39 other domains to an email address: goldenwaves247@gmail[.]com.

Anderson said researchers found that many of the links associated with the email were also being sent out through Bitly link shortening links, which allowed the people behind the scam to name the link “Unemployment Insurance Relief During COVID-19 Outbreak | American Rescue Plan Act.”These links brought the researchers to other sites that were hosted on Garanntor and OVH, providing them with even more information about the creator and tying all of the sites to an email address registered in Ibadan, Nigeria.”The city of Ibadan is a small, rural town which makes the registration information stand out as almost always technical contacts for Nigerian domains are located in Lagos, the capital city and technology center,” Anderson wrote. “Additional searches reveal the same username participating in sales on cybercrime forums, Steam gaming, and other social media sites.”

Anderson added that it is with “medium confidence” that DomainTools’ researchers believe GoldenWaves Innovations — which is also registered in Ibadan — was a “legitimate web design firm in front of the identity document harvesting sites.”GoldenWaves Innovations has a working website with a CEO who has a full profile on LinkedIn. “Additionally, the historical WHOIS record unearths an address in New York, New York of 120 E 87th Street. This is an apartment building with condos ranging from $900,000 to $13,000,000 in the heart of Manhattan. While at first that seems strange for a company based in Nigeria, we can see from LinkedIn that one of the company’s developers claims to live in New York City,” Anderson said.”Looking at the CEO’s current contact information on LinkedIn we can see that GoldenWaves Innovations has a new website in goldenwaves[.]com[.]ng which is also tied to the same email address and registration information. This gives DomainTools researchers high confidence that all of these credential harvesting sites are linked to GoldenWaves Innovations in Nigeria. These sites along with any new ones that have cropped up were reported to Google Safe Browsing for blocking.”Anderson included a list of the domain names being used in the scam and told ZDNet that US law enforcement was informed about the sites. When asked why a seemingly legitimate business would tie itself to credential harvesting sites, Anderson said “it’s certainly sloppy” but added that this proved the usefulness of historical WHOIS data.Other cybersecurity experts, like Digital Shadows cyber threat intelligence analyst Stefano De Blasi, said that along with extracting credentials, impersonating domains are frequently leveraged to extract financial information, deploy malware on a victim’s machine, and distribute disinformation content. “Additionally, users may be tricked into opening these malicious pages via spear-phishing emails or SMS, as well as being redirected there from other illegitimate websites. In both cases, if an attacker knows enough of social engineering techniques to pressure a victim into opening the URL and inserting their credentials,” De Blasi told ZDNet. “Social engineering attacks remain a predominant initial attack vector for threat actors, thus certifying that they keep working on many people despite its rather simplistic approach. Registering these domains is a trivial task for most attackers, thanks to prepared phishing kits and tutorials that attackers can easily find in cybercriminal forums. However, when registering hundreds of malicious domains, a careless attacker may well leave some crucial pieces of evidence behind that can then be gathered and analyzed by security researchers to assess attribution.” More

Security automation technology firm Rapid7 this afternoon announced it will spend $335 million in cash and stock to buy New York-based, privately held IntSights to add “outside the wire” capabilities. In a press release announcing the deal, Rapid7 cited the phenomenon of digital transformation as having “exponentially” expanded the “perimeter” of networks.Rapid7 said it “will combine its community-infused threat intelligence and deep understanding of customer environments with IntSights’ external threat intelligence capabilities.”IntSights, known formally as IntSights CyberIntelligence, was founded in 2015 by veterans of Israel’s military intelligence units. The company has received $71 million in venture capital funding from parties including Gilot Capital Investments, Blackstone Private Equity, and Blumberg Capital.The company advertises its threat intelligence platform as detecting attacks before they reach the perimeter of a customer’s network. “Listen in on dark web chatter for up-to-the-minute details on what’s coming next for your organization,” are among the features touted by IntSights.  Boston-based Rapid7 was founded in 2000 and is based in Boston, Mass.In the same release, Rapid7 said its revenue and net income for the second quarter will come in higher than previously forecast. It also said its annualized recurring revenue rose 29%, year over year, to $489 million. 

Rapid7 expects to report full results on August 4th. 

Tech Earnings More

Singapore has turned to the world wide web in its hunt for intelligence officers from “diverse backgrounds”. The Security and Intelligence Division (SID) has unveiled its official website today, 55 years after it was established inn 1966. Parked under the Ministry of Defence (Mindef), SID is the country’s external intelligence agency responsible for safeguarding the nation against external threats. It provides intelligence and assessments to local government agencies, as well as analyses global developments that may affect Singapore’s security and national interests. These include transnational threats such as cybersecurity and terrorism, geopolitics, and foreign relations, according to a statement released Monday by Mindef. SID also communicates with foreign intelligence and security agencies, sharing information and insights on countering transnational threats. 

With the launch of its website, the agency said it hoped to provide some idea of its operations, even though much of these remained classified for national security reasons. In doing so, it aimed to attract a wider spectrum of recruits to join the agency. An SID spokesperson said: “Singapore is facing challenging security issues in an increasingly complex and volatile world. The information we collect and analyse to detect and counter threats comes from wide and varied sources. The technologies to make sense of such information are evolving rapidly. “By increasing SID’s visibility, the website will help us to recruit Singaporeans from diverse backgrounds with the right values and expertise who can contribute towards our mission. It will also help us to strengthen existing linkages and forge new partnerships.”According to the website, the agency offers roles across five key areas including technology, operations, and research. Specialised skills it seeks in technology include cybersecurity, data science and engineering, and software engineering, while roles in operations require specialised skills in cybersecurity and threat analysis and investigation. 

SID’s past counter-terrorism work led to the arrests of Jemaah Islamiyah terrorists who fled Singapore in the early 2000s and foiled a terror group’s plot to launch an attack on the Marina Bay Sands integrated resort in 2016, Mindef said. The Singapore Armed Forces (SAF) in March 2020 restructured to boost its capabilities to address emerging threats in cyber, counter-terrorism, and maritime. In cyber defence, specifically, Mindef and SAF said they would build up capabilities to safeguard against foreign actors that posed cyber threats to Singapore’s national security. RELATED COVERAGE More

Campbell Conroy & O’Neil, P.C., a law firm handling hundreds of cases for the world’s leading companies, has announced a large data breach that resulted from a ransomware attack in February. In a statement released on Friday, the law firm said it noticed unusual activity on its network on February 27. The firm later realized it was being hit with a ransomware attack and contacted the FBI as well as cybersecurity companies for help. Their investigation revealed that the hackers behind the attack gained access to a database with names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials. The law firm is offering those affected 24 months of free credit monitoring, fraud consultation, and identity theft restoration services. 

Campbell Conroy & O’Neil is one of the world’s biggest law firms and boasts a client list that includes major corporate giants like Exxon, Ford, Toyota, British Airways, Boeing, Monsanto, Johnson & Johnson, Pfizer, Dow, Fisher-Price, Home Depot, Office Max, Walgreens, Toshiba and more. Last year, cybercriminals behind the REvil ransomware attacked Grubman Shire Meiselas & Sacks, a high-profile New York law firm with clients ranging from Lady Gaga, Madonna, Mariah Carey and Nicki Minaj to Bruce Springsteen, Bette Midler, U2, Outkast, Jessica Simpson, Cam Newton, Facebook and many more. Trevor Morgan, product manager with data security specialists with comforte AG, said ransomware groups have long attacked law firms because of the amount of sensitive data they handle on a daily basis, adding that the attack against Campbell Conroy & O’Neil, P.C. was “discomfiting.”

“Law firms house massive amounts of information about clients and legal cases—much of that privileged information—and most of that information is highly sensitive and can be used as leverage against the firms themselves (in ransomware attacks) and also to target other victims in a domino effect,” Morgan explained.  “Law firms and legal service providers (such as processors of legal discovery data) should be paying attention to this breach and immediately assessing their defensive posture. If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it.”  More

MITRE Engenuity announced on Monday the results of its first-ever ATT&CK Evaluations for Industrial Control Systems (ICS). 

ZDNet Recommends

Researchers with MITRE used the Triton malware to test the detection ability of five different cybersecurity products from ICS vendors. The results of the exam can be found here. Industrial control systems are used by many of the world’s most critical infrastructures, including energy transmission and distribution plants, oil refineries, wastewater treatment facilities and more.MITRE Evaluations created a “curated knowledge base of adversary tactics, techniques and procedures based on known threats to industrial control systems” and used it to test products from Armis, Claroty, Microsoft, Dragos and the Institute for Information Industry.MITRE said in a statement that Triton had been created by Russia’s Central Scientific Research Institute of Chemistry and Mechanics and had been used to attack industrial control systems across North America, Europe and the Middle East. The malware stops officials from addressing hazards and other conditions by specifically targeting safety systems. The US Treasury Department imposed sanctions on the Russian institute after Triton was used to shut down a Saudi refinery. Otis Alexander, leader of the ATT&CK Evaluations for ICS, said they chose to emulate the Triton malware because it targets safety systems, which “prevent some of the worst consequences from happening when something goes wrong in an industrial control setting.” 

“The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs,” Alexander said. “Our evaluations are intended to take the guesswork out of the process while providing realistic expectations about what security products can provide.”According to MITRE, there are multiple ways ICS attacks can be detected and a number of different products that can handle the task. The study was part of a larger effort to help cybersecurity teams understand their tools and improve their work. The tests can help organizations understand which cybersecurity products are best at handling “volume of detections, the stage of attack when the detections occur, the types of data sources offered and how information may be presented.”Yuval Eldar, general manager for IoT/OT security at Microsoft, said that with recent attacks targeting core business operations, community collaboration will help improve security products. He thanked MITRE Engenuity for the chance to test their agentless Azure Defender for IoT solution and Azure Sentinel SIEM/SOAR solution. “We look forward to our continued partnership and building upon what we learned about the need for a holistic SIEM/XDR view across networks, endpoints, identity, and other domains in our clients’ IT/OT infrastructures,” Eldar said. The ICS evaluations are intended to help organizations decide between cybersecurity products. MITRE Engenuity also provides similar services for security products for enterprise networks. They recently used attacks from cybercrime groups FIN7 and Carbanak to test 29 different cybersecurity products. Frank Duff, general manager of the ATT&CK Evaluations program, said vendors trust the organizations “to improve their offerings, and the community trusts that we’ll provide transparency into the technology that is necessary to make the best decisions for their unique environment.” “Unlike closed door assessments, we use a purple teaming approach with the vendor to optimize the evaluation process,” Duff explained. “MITRE experts provide the red team while the vendor provides the blue team to ensure complete visibility, while allowing the vendor to learn directly from ATT&CK experts.” More

The Justice Department announced charges against four Chinese nationals on Monday, accusing the men of being part of a hacking group that attacked “companies, universities, and government entities in the United States and abroad between 2011 and 2018.”According to a release from the DOJ, a San Diego federal grand jury returned the indictment of all four in May and it was unsealed on Friday.The indictment says Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin were members of the Hainan State Security Department working covertly within a front company called Hainan Xiandun Technology Development Co., Ltd.The goal of the operation, according to the Justice Department, was to steal information from companies that would help enterprises in China. The DOJ said the hackers were specifically looking for “information that would allow the circumvention of lengthy and resource-intensive research and development processes.”Operating out of Haikou, Hainan Province, the three are accused of “coordinating, facilitating, and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies.” Wu Shurong was also indicted for his role as a hacker who created malware, assisted the other three in breaking into computer systems, and allegedly supervised other Hainan Xiandun hackers.The DOJ noted that the group attacked companies across the US, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, UK, Austria, Cambodia, Canada, and Germany. Most of the attacks targeted companies working in the defense, education, healthcare, biopharmaceutical, and aviation sectors. 

“Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects),” the Justice Department statement said.  “At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg, and tularemia.” The indictment also accuses educators at universities in Hainan and across China of working with the country’s Ministry of State Security to help with the attacks. Deputy Attorney General Lisa Monaco said the charges highlight that China continues to use cyber-enabled attacks to steal what other countries make, calling the government’s actions representative of a “flagrant disregard of its bilateral and multilateral commitments.””The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe,” Monaco said. The DOJ noted that multiple cybersecurity firms have chronicled the group’s activities, giving them a variety of names over the years including Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope, and Temp.Jumper. The indictment lists the variety of hacking methods used to break into companies’ systems, detailing how the group used spearphishing emails, hijacked credentials, and more. “The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks,” the indictment said. “The conspiracy’s malware included those identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka mt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords.”The indictment notes that the hackers used anonymizer services, Dropbox Application Programming Interface (API) keys, and even GitHub during their attacks. All four defendants have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit economic espionage. Combined, the two charges carry a maximum sentence of 20 years in prison. Acting US Attorney Randy Grossman tied the indictment to the larger announcements that came out on Monday, where dozens of countries accused China of a widespread hacking campaign.  Grossman said the indictment “demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate,” while also claiming the actions threaten the US economy and national security.The FBI and CISA released an advisory designed to help organizations defend against some of the tactics deployed by the four hackers indicted. The Joint Cybersecurity Advisory has “technical details, indicators of compromise, and mitigation measures.””The charges outlined today demonstrate China’s continued, persistent computer intrusion efforts, which will not be tolerated here or abroad,” said Special Agent in Charge Suzanne Turner of the FBI’s San Diego Field Office. “We stand steadfast with our law enforcement partners in the United States and around the world and will continue to hold accountable those who commit economic espionage and theft of intellectual property.” More

The UK government has formally laid the blame for the Microsoft Exchange Server cyberattack at the feet of China. 

On Monday, the government joined others — including the victim company itself, Microsoft — in claiming the cyberattack was the work of Chinese state-sponsored hackers, namely Hafnium, an advanced persistent threat (APT) group.  The United States, NATO, and the EU have joined the UK in condemning the attack. Foreign Secretary Dominic Raab deemed the attack “by Chinese state-backed groups” as a “reckless but familiar pattern of behavior.” “The Chinese Government must end this systematic cyber sabotage and can expect to be held [to] account if it does not,” Raab added.  Earlier this year, suspicious activity was detected and linked to four zero-day vulnerabilities in on-prem Microsoft Exchange Servers.  In March, the Redmond giant issued emergency patches to mitigate the threat to its customers; however, the vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were exploited, compromising an estimated 30 000 organizations in the US alone. 

The European Banking Authority was one of the most high-profile victims of the attack.  Following the incident, the malware was discovered on over 2000 machines belonging to businesses in the United Kingdom. Read on: Everything you need to know about the Microsoft Exchange Server hackThe UK government believes the attack was likely conducted for “large-scale espionage”, including the theft of information and intellectual property by hackers sponsored by the People’s Republic of China (PRC).  Furthermore, UK officials say that the Chinese Ministry of State Security is backing two other groups, known as APT40 (TEMP.Periscope/TEMP.Jumper/Leviathan) and APT31 (Judgement Panda/Zirconium/Red Keres).  According to the National Cyber Security Centre (NCSC), APT40 is responsible for targeting the maritime industry and naval contractors in the United States and Europe, and the agency assesses with high confidence that the Chinese Ministry of State Security is backing the group, which “operates to key Chinese State Intelligence requirements.” In addition, the NCSC says that APT31 is responsible for targeting government and political figures, including the Finnish Parliament, in 2020. “[The] NCSC is almost certain that APT31 is affiliated to the Chinese State and likely that APT31 is a group of contractors working directly for the Chinese Ministry of State Security,” the agency added.  “The Chinese government has ignored repeated calls to end its reckless campaign, instead [of] allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught,” UK officials commented. “This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data, and commercial interests of those with whom it seeks to partner.” The government has also called on China to desist in its alleged attempts to conduct or support IP and trade secrets theft through cyberattacks. Update 15.33 BST: The UK, NATO, US, and EU have allied in their stance against alleged Chinese cyberattacks. Together with the UK, the White House has issued a joint statement criticizing China’s alleged behavior. “In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the US government claims. “The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”The US Department of Justice (DoJ) has also indicted four Chinese nationals suspected of being members of China’s Ministry of State Security (MSS), as well as APT40. They are accused of “hacking into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.”The DoJ alleges that the MSS has been involved in cyberattacks against victims in the US, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More