Friday Five 1/22
Copycats, searchable phishing campaigns, and cybersecurity policy in the new administration - catch up on all of the week's infosec news with the Friday Five!
1. The SolarWinds Hackers Used Tactics Other Groups Will Copy by Lily Hay Newman
After any major cyberattack there is a fear that there will be copycat attacks using the name tactics. In the case of the SolarWinds breach, the attack has shown the success of attacking through a supply chain in order to gain access to system authentication tokens for Microsoft 365 and Azure. Once in the system, attackers can generate legitimate tokens to gain access to accounts and create new accounts which they can use to move laterally through the system. Now that the technique is known, the security community is racing to come up with a way to prevent similar attacks. In the meantime, SAML token manipulation continues to be a risk for almost all cloud users. Organizations should double check that any servers that hold token certificates are secure and limit authentication systems access to a small number of accounts with high visibility.
2. Joker's Stash Carding Market to Call it Quits by Brian Krebs
Joker’s Stash, a black-market forum for selling identity and credit card information will be closing in mid-February. The closure announcement comes weeks after U.S. and European authorities seized a number of the organization’s servers. The illicit store has been open since 2014, but recently customers have complained of increasingly poor card data quality. There was some speculation that the poor card data could be traced to the curator of the store being hospitalized with Covid-19. Though the site is closing, financially it’s been remarkably successful. Over the last few years, it’s estimated that the site has generated more than a billion dollars in revenue. As Joker’s Stash closes, it’ll be interesting to see what forums will take their place.
3. DNSpooq lets attackers poison DNS cache records by Catalin Cimpanu
A report this week disclosed seven vulnerabilities impacting a DNS software package that's commonly found in access points and routers. The impacted software, when operating normally, improves internet speed by preventing recursive traffic. Unfortunately, the corrupted software has made it into devices worldwide, potentially affecting Cisco devices, Android smartphones, and an assortment of firewalls, routers, and other networking gear. To make matters worse, the vulnerabilities can be combined to poison DNS cache entries, which allows attackers to send users to clones of legit websites. While users wait for patches, they can configure another DNS server, such as Cloudflare or Google, and send DNS requests directly.
4. The Cybersecurity 202: Here's what lawmakers want Biden to do on cybersecurity in his first 100 days by Tonya Riley
As the new administration takes office, it must figure out how to respond to a range of cybersecurity problems, notably the SolarWinds breach that's impacted several federal agencies. As well, they must contend with the various lawmakers who have suggestions for cybersecurity policy, many of which are drawn from the Cyberspace Solarium Commission. One immediate change is that Biden is expected to take a much harder stance against Russia than his predecessor, especially as Russia is being blamed for the SolarWinds attack. The Biden administration is also pushing for greater international cooperation and stronger partnerships with the private sector. There is a hope that an increased focus on cybersecurity from the White House will help solve some of the larger cyber challenges facing the US and the cybersecurity industry.
5. This phishing scam left thousands of stolen passwords exposed through Google search by Charlie Osborne
A phishing campaign targeting the construction and energy sectors exposed credentials that could be viewed through a Google search. The campaign originated with fake email templates and would mimic Xerox scan notifications. Though the infection campaign was relatively simple, it was able to bypass Office 365 APT and stole over a thousand corporate employee credentials. The stolen information was stored on WordPress domains, which were then saved and indexed by Google, making them searchable. Altogether, it was a surprising way to discover a phishing campaign.