Friday Five 7/15
This week saw the conviction of a former CIA engineer, a brief takedown of Congress.gov, and news of a promising decline in ransomware. Read about all of this and more in this week's Friday Five!
1. Ongoing phishing campaign can hack you even when you’re protected with MFA by Dan Goodin
In a recent blog post, Microsoft detailed a large-scale phishing campaign targeting over 10,000 since September that uses adversary-in-the-middle (AiTM) phishing sites to steal sensitive information and bypass multi-factor authentication. In the attacks, the threat actors deploy a proxy server to steal login information along with a session cookie that proves a user’s authenticated session with a website. According to the Microsoft 365 Defender Research Team, “in multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account." Read the full story from Ars Technica to find out where Microsoft first observed these attacks and how they can be used to exploit organizations.
2. Former CIA Engineer Convicted of Leaking ‘Vault 7’ Hacking Secrets to WikiLeaks by Ravie Lakshmanan
Joshua Schulte, a former programmer with the U.S. Central Intelligence Agency (CIA), was convicted of leaking at least 91 hacking tools and exploits to WikiLeaks nearly four years after being originally charged for the crime. The tools and exploits, dubbed Vault 7, were considered "some of the country’s most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe," according to U.S. Attorney Damian Williams in his recent statement on the matter. Read more in the full story from The Hacker News to find out more about Schulte, what kinds of tools were leaked, and why the leak is considered "one of the most brazen and damaging acts of espionage in American history."
3. Pro-Russian cybercriminals briefly DDoS Congress.gov by AJ Vicens
A pro-Russian hacking group known as KillNet launched a series of distributed denial of service attacks this past week that resulted in Congress.gov being temporarily unavailable to the public. “The Library of Congress used existing measures to address the attack quickly, resulting in minimal down time,” a spokesperson for the Library of Congress said. “The Library’s network was not compromised and no data was lost as a result of the attack.” Since the Russian invasion of Ukraine, KillNet has also been linked to attacks in Norway and Lithuania.
4. New ‘Luna Moth’ hackers breach orgs via fake subscription renewals by Bill Toulas
A new data extortion group known as Luna Moth has been successfully breaching organizations and stealing corporate data by delivering remote access tools (RATs) via phishing campaigns. Victims of the phishing attacks receive emails indicating that their subscription service is about to end and will automatically be renewed in 24 hours. When victims call the phone number provided in the fake invoice, a scammer then attempts to provide directions for the victim to install a remote access tool on their device. Read the full story from BleepingComputer to find out what to watch out for in one of Luna Moth’s phishing attacks and which subscription services they may be posing as.
5. Data Breaches Linked to Ransomware Declined in Q2 2022 by Nathan Eddy
The Identity Theft Resource Center’s H1 2022 Data Breach Report indicated that data breaches linked to ransomware attacks declined in Q2 2022. ITRC researchers “believe that the decline in ransomware attacks is due to a combination of factors, including the ongoing conflict in Ukraine and the collapse of cryptocurrencies favored by cybercriminals.” Read the full story from Dark reading to learn about some of the other findings from the ITRC’s recent report and why the promising data may not last.