 Cobalt Dickens, a threat actor associated with the Iranian government, ran a phishing operation in July and August that targeted more than 60 universities in countries on four continents. Security researchers say that the group's hacking activity affected at least 380 universities in more than 30 countries, many of the targets being hit multiple times. The latest phishing campaign was directed at organizations in Australia, Hong Kong, the U.S., Canada, the U.K., and Switzerland. It used at least 20 new domain names registered using the Freenom service that offers free top-level domain names (.ml, .ga, .cf, .gq, .tk). A fraudulent email Cobalt Dickens sent to people with access to the library of the targeted university, shows a message that prompted to reactivate the account by following a spoofed link. Using a spoofed link is a change in the modus operandi as previous campaigns from the group relied on shortened URLs to direct to the fake login page. Following the fake link leads "to a web page that looks identical or similar to the spoofed library resource," say researchers from Secureworks' Counter Threat Unit (CTU). Once the credentials are provided, they are stored in a file named 'pass.txt' and the browser loads the genuine university website. To cancel suspicions of fraudulent activity, the threat actor often uses valid TLS certificates for its websites. Most of the certificates observed in this campaign are free, issued by the Let's Encrypt non-profit certificate authority. Also known as Silent Librarian, the group focuses on compromising educational institutions, although its victims count private sector companies, too. Its purpose seems to be stealing library account credentials and selling academic resources as well as access to them to customers in Iran. Nine individuals believed to have roles in the group's activity were indicted by the US Department of Justice in March 2018 for cyber intrusion activities. It is believed that they were partners or hacker-for-hire for a company called Mabna Institute that carried hacking operations since at least 2013. You can find the complete posting on OUR FORUM.  Attackers can use genuine binaries from Microsoft Teams to execute a malicious payload using a mock installation folder for the collaboration software. The problem affects most Windows desktop apps that use the Squirrel installation and update framework, which uses NuGet packages. A list of impacted products, as tested by the security researcher that made the discovery, includes WhatsApp, Grammarly, GitHub, Slack, and Discord. Reverse engineer Reegun Richard found that he could create a fake Microsoft Teams package and use a signed binary to execute anything present in a specific location. One notable aspect of the experiment is that no resources are required on the target system other than the minimum package created by the attacker. The researcher found that the genuine 'Update.exe' file and two folders - 'current' and 'packages,' all being part of a normal Microsoft Teams installation, are sufficient to launch on the system malware that inherits the trust of the signed executable, allowing the defeat of some defense mechanisms. It appears that the 'Update' executable blindly deploys anything that is present in the 'current' folder. The 'packages' location needs to have a 'RELEASES' file, albeit it does not have to be valid. "It just needs the format 'SHA1 filename size'. Microsoft is aware of the problem but decided not to address it. The researcher says that the reason the company gave him was that the glitch "did not meet the bar of security issue." The researcher explains that not all NuGet packages are vulnerable but all apps relying on the Squirrel one-click installer are. More details can be found on OUR FORUM.  On Monday, 50 attorneys general from US states and territories signed onto an antitrust investigation into Google, placing even more pressure on the major tech firms that are already facing intense scrutiny over their market dominance from the government. The probe, led by Republican Attorney General Ken Paxton from Texas, will focus primarily on Google’s advertising and search businesses. But in remarks given Monday, the attorneys general suggested that they may expand the investigation later. California and Alabama are the only two state attorneys general staying out of the probe. At Monday’s press conference in front of the Supreme Court, Paxton said that Google “dominates all aspects of advertising on the internet and searching on the internet,” The Washington Post reported. “We applaud the 50 state attorneys general for taking this unprecedented stand against Big Tech by uniting to investigate Google’s destruction of competition in search and advertising,” the Open Markets Institute said in a statement. “We haven’t seen a major monopolization case against a tech giant since Microsoft was sued in 1998. Today’s announcement marks the start of a new era.” Running parallel to the states’ investigation, the Justice Department and Federal Trade Commission are also probing the companies out of concerns they may be stifling competition in the industry. In its last quarterly earnings, Facebook disclosed that the FTC had opened an antitrust investigation into the company in June. Follow this on OUR FORUM. |
Latest Articles
|