Linux Under Cyberattack, New Phishing Attacks, MFA Pass The Cookie Hack – Cybersecurity News and Trends

1. Linux environment under cybersecurity attack

• Threat actors are continually leveraging file-less malware installation techniques to target Linux-based systems and evade cybersecurity threat detection tools.
• According to cybersecurity researchers, a variant of RansomEXX, designed specifically for Linux-based systems, is targeting victims’ computers by encrypting user files with a 256-Bit key.
• Additionally, threat actors have been seen targeting PostgreSQL databases running on Linux machines, for illegal botnet activities including the illegal mining of Monero cryptocurrency.

SME Comments: With an operating system market share of less than 1% worldwide, Linux has been known to be an impregnable operating system (OS). However, today’s cybercriminals no longer consider Linux machines as a significant hindrance in their attack chain mainly because Disk I/O operations are being bypassed to execute malware payload directly into memory.

Link to article

2. Phishing attacks using remotely hosted images to bypass email filters

• Cybersecurity incident responders discovered that attackers use remote images of popular brand logos to bypass email filters in a sophisticated phishing technique. Unlike embedded email images, which can be analyzed in near real-time by email filters, remote images are virtually hosted on the web and need to be fetched prior to being inspected by security analysis tools.
• The aim of this phishing technique is to overwhelm intelligent detection systems, using remotely hosted images that are capable of evading reputation-based detection mechanisms.
• In this malicious campaign, threat actors are leveraging the ‘Cloaking’ techniques for the obfuscation and delivery of malicious content to intended targets, while avoiding malware analysis tools.

SME Comments: In the past, threat actors have used embedded images of well-recognized brands in email messages, to build a sense of legitimacy. However, this new technique of using remotely-hosted images within email phishing campaigns appears to exhaust intelligent systems and take advantage of loopholes in behavioral-based detection systems. Until new, corrective measures are developed, this type of phishing technique is best mitigated via proper user training.

Link to article

3. CISA: Hackers bypassed MFA to access cloud service accounts

• The Cybersecurity and Infrastructure Security Agency reports threat actors employed a combination of attack methodologies, including phishing, ‘pass-the-cookie’ attack, and brute force login attempts, in a successful compromise of several cloud security infrastructures across the United States.
• Threat actors were discovered to have successfully bypassed multi-factor authentication mechanisms, using cookies from pre-authenticated sessions, targeting web portal. This attack technique is part of the ‘pass-the-cookie’ attack circulating around critical infrastructures.
• Following the implementation of credential phishing campaigns (targeting employees) as well as the abuse of legitimate file hosting services within trusted architectures, the trusted file hosting services were used as a vector to introduce malicious attachments into secure cloud environments.
• Modified email searches and forwarding rules were used to collect financial and sensitive information from compromised email accounts during these incidents.

SME Comments: CISA’s investigation suggests that users who work from home and use company email addresses on personal devices were the target of these attacks. However, weak security hygiene played a major role in the success of this MFA-based attack. Thus, underscoring the importance of a robust security awareness training in an organization.

Link to article

4. New Zealand Reserve Bank breached using bug patched on Xmas Eve

• A critical vulnerability in a legacy file sharing service called ‘File Transfer Application’ was exploited to facilitate a data breach at the Reserve Bank of New Zealand. Attackers moved to exploit said vulnerability the same day it was patched (but in a different time zone).
• Security experts suggested that the timeframe behind the released patch and when it was exploited was too short to effectively apply the patch. The threat actors took advantage of the small window between testing a new patch and deployment into a live environment.
• The 20 years old File Transfer Application, developed by Accellion, was being used to transfer and store sensitive banking information over a secure network.

SME Comments: Although a patch was released for this critical vulnerability at the Accellion office in California, their New Zealand location was not able to implement said patch in time – attackers exploited the 21-hour time difference. Unfortunately, the Christmas holiday break made proper patch implementation much more difficult. The likelihood of this type of incident is significantly increased in public release of critical vulnerabilities, due to factors such as time of patch release and installation onto user systems.

Link to article

5. Agencies Propose Faster, Broader Reporting of Financial Cybersecurity Incidents

• A joint proposal by the U.S Treasury Department’s Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) urged timely reporting of cybersecurity financial services incidents to federal agencies.
• The majority of critical infrastructure operators are from the private sector, whereas current regulations don’t provide an explicit time limit and scope of the security incidents affecting the financial health of the country.
• A timely notification of high profile coordinated attacks at multiple financial services organizations is critical to informing intelligence agencies on the appropriate corrective measures as well as effective guidelines on threat mitigation.

SME Comments: Applicable laws as of now provide a vague definition of security incidents within the financial services sector, thus allowing gray areas when it comes to reporting requirements. However, this new regulation will provide a clear definition of security incidents and impose more stricter incident reporting time limits, which will be in line with the severity of the said incident.

Link to article