Daily Archives: November 21, 2020

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.

The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.

And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020.

This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.

“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

In the early morning hours of Nov. 18 Central European Time (CET), cyptocurrency mining service NiceHash disclosed that some of the settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site. NiceHash froze all customer funds for roughly 24 hours until it was able to verify that its domain settings had been changed back to their original settings.

“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,” the company wrote in a blog post.

NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an Internet address at GoDaddy, and that the attackers tried to use their access to its incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. But he said GoDaddy was impossible to reach at the time because it was undergoing a widespread system outage in which phone and email systems were unresponsive.

“We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said in an email to this author. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”

Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform run by Namecheap Inc., another large domain name registrar. Using Farsight Security, a service which maps changes to domain name records over time, KrebsOnSecurity instructed the service to show all domains registered at GoDaddy that had alterations to their email records in the past week which pointed them to privateemail.com. Those results were then indexed against the top one million most popular websites according to Alexa.com.

The result shows that several other cryptocurrency platforms also may have been targeted by the same group, including Bibox.com, Celcius.network, and Wirex.app. None of these companies responded to requests for comment.

In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on Nov. 17 was not related to a security incident, but rather a technical issue that materialized during planned network maintenance.

“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.

“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”

Race declined to specify how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts.

What’s more, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted fewer than a dozen other domains, including the phishing website servicenow-godaddy.com. This suggests the attackers behind the March incident — and possibly this latest one — succeeded by calling GoDaddy employees and convincing them to use their employee credentials at a fraudulent GoDaddy login page.

In August 2020, KrebsOnSecurity warned about a marked increase in large corporations being targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been aided greatly by many employees working remotely thanks to the ongoing Coronavirus pandemic.

A typical vishing scam begins with a series of phone calls to employees working remotely at a targeted organization. The phishers often will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s email or virtual private networking (VPN) technology.

The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.

On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools.

An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) says the perpetrators of these vishing attacks compile dossiers on employees at their targeted companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.

The FBI/CISA advisory includes a number of suggestions that companies can implement to help mitigate the threat from vishing attacks, including:

• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.

• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

• Verify web links do not have misspellings or contain the wrong domain.

• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Dutch tech reporter gatecrashes EU defence secret video conference

A Dutch tech reporter gatecrashed a video conference of EU defence ministers after the Dutch minister shared an image on Twitter.

Dutch journalist Daniel Verlaan of RTL Nieuws broke into a secret video conference of EU defence ministers after the Dutch defence minister Ank Bijleveld posted on Twitter an image of the call that accidentally exposed login details.

The tech journalist caught the login credential in the image and used it to join the meeting, the photo contained the login address and part of the PIN code.

“You know that you have been jumping into a secret conference?” EU foreign policy chief Josep Borrell said.

“Yes, yes. I’m sorry. I’m a journalist from the Netherlands. I’m sorry for interrupting your conference,” Mr Verlaan replied, to laughter from officials. “I’ll be leaving here.”

“You know it’s a criminal offence, huh?” Mr Borrell replied. “You’d better sign off quickly before the police arrives.

EU video conference

The meeting was halted due to the intrusion, and the incident was reported to the authorities.

The image shared by the minister only contained part of the PIN code, but after a number of attempts the journalst guessed the secret code.

“In a number of attempts, RTL News managed to guess the pin code of the secret meeting, because five of the six digits of the pin code were visible in the photo.” reported the RTL Nieuws.

“After logging in with the correct pin code, there was no extra security, RTL News was immediately admitted to the meeting and Verlaan has identified himself as a journalist.”

The incident raises serious questions over the security of secret meetings of Government organizations, especially during the COVID-19 pandemic.

A Dutch defence ministry spokesperson admitted the error and defined it as a “stupid mistake”.

“This shows how careful you have to be with these kinds of meetings,” says Prime Minister Mark Rutte. “A meeting of the Ministers of Defense is never innocent. Caution is advised. The only by-product of this is that Bijleveld has pointed out to other ministers how careful you have to be.”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Dutch tech reporter gatecrashes EU defence secret video conference appeared first on Security Affairs.

Experts warn of mass-scanning for ENV files left unsecured online

Threat actors are scanning the Internet for ENV files that usually contain API tokens, passwords, and database logins.

Threat actors are scanning the internet for API tokens, passwords, and database logins that are usually used to store ENV files (Environment files) accidentally left exposed online.

Environment files are configuration files that usually contain user environment variables for multiple frameworks and development tools such as Docker, Node.js, Django, and Symfony.

Obviously these files should not be exposed online without any protection.

Upon discovering unprotected ENV files exposed online, threat actors will download them to access their content and us it attacks.

The scanning activities observed by several security experts are likely operated through botnets designed to search for these specific files and gather sensitive information that could be used by threat actors for multiple malicious activities.

Researchers from security firm Greynoise have reported that thousand of IP addresses have been involved in mass scanning operations aimed at discovering ENV files in the last three years. Experts reported that most of the IP addresses are in the United States, followed by Germany and France.

According to Greynoise, more than 1,000 scans have been observed over the past month.

A similar activity was reported by researchers from threat intelligence firm Bad Packets:

The lesson learned is to never expose online ENV files if we don’t want to make a gift to the attackers.

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post Experts warn of mass-scanning for ENV files left unsecured online appeared first on Security Affairs.

Grelos Skimmer Variant Co-Opts Magecart Infrastructure

Researchers: Skimmer Compromised Website of Boom! Mobile In October
Researchers have identified a fresh variant of the Grelos skimmer that has co-opted the infrastructure that MageCart uses for its own skimming attacks against e-commerce sites, according to RiskIQ. The malware has been found on several small and mid-size e-commerce sites worldwide.

What Is E-PDR (Endpoint Prevention, Detection and Response)?

Cybersecurity evolves with the times and always needs to stay one step ahead of malicious groups that seek to harm organizations and individuals for various benefits. The age of simple protection (such as traditional Antivirus) is long past. In its stead, today, we have E-PDR (Endpoint Prevention, Detection and Response) as the new golden standard […]

The post What Is E-PDR (Endpoint Prevention, Detection and Response)? appeared first on Heimdal Security Blog.

Manchester United hit by ‘sophisticated’ cyber attack

The Manchester United football club has been hit by a cyber attack on their systems, it is not aware of a breach of personal data for his fans.

Manchester United
 disclosed a cyber attack, but according to the football club it is not “currently aware of any breach of personal data associated with our fans and customers”.

The club confirmed the security breach on Friday evening, it shut down its systems to prevent the malware from spreading within.

“Manchester United can confirm that the club has experienced a cyber attack on our systems. The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimise the ongoing IT disruption.” reads a statement issued by the Manchester United and reported by The Guardian.

“Although this is a sophisticated operation by organised cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality. Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.”

“Club media channels, including our website and app, are unaffected and we are not currently aware of any breach of personal data associated with our fans and customers.”

“We are confident that all critical systems required for matches to take place at Old Trafford remain secure and operational and that tomorrow’s game against West Bromwich Albion will go ahead.”

Manchester United

The club notifies the British authotities about the incident, including the Information Commissioner’s Office. The United also launched a forensic investigation into the incident.

“These type of attacks are becoming more and more common and are something you have to rehearse for.” said a spokesman for the club.

Pierluigi Paganini

(SecurityAffairs – hacking, Manchester United)

The post Manchester United hit by ‘sophisticated’ cyber attack appeared first on Security Affairs.

UK reveals new National Cyber Force to improve offensive cyber capabilities

The new National Cyber Force (NCF) is working to improve UK’s offensive cyber capabilities to disrupt adversaries and keep the UK safe.

UK Prime Minister, in a speech on defence spending, announced the GCHQ and Ministry of Defence (MoD) partnership aimed at conducting offensive cyber operations to disrupt hostile nation-state operations, terrorists, and cyber criminal campaigns that are threatening the national security.

The National Cyber Force (NCF) NCF plays a crucial role in enhancing its offensive cyber capabilities.

The UK government has announced a new defence spending of £16.5 billion ($22bn), part of which has been assigned to the creation of the National Cyber Force. The British government also reserved part of the spending for the creation of a Space Command and agency dedicated to AI.

“In recent years, our adversaries have developed and weaponised a myriad of emerging technologies which go beyond the traditional warfighting domains of air, land and sea.” states the UK Government.

“That’s why the Prime Minister has announced a new agency dedicated to developing Artificial Intelligence, the creation of a National Cyber Force and a new ‘Space Command’ that will protect the UK’s interests in space and control the UK’s first satellite launched from a UK rocket by 2022.”

The NCF is composed of personnel from intelligence, cyber and security agency GCHQ, the MoD, the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (Dstl).

“I can announce that we have established a National Cyber Force, combining our intelligence agencies and service personnel, which is already operating in cyberspace against terrorism, organised crime and hostile state activity.” reads Prime Minister Boris Johnson’s statement to the house about the new spending.

NCSC National Cyber Force

Prime Minister Boris Johnson confirmed that the Cyber Force is already operative.

The National Cyber Force will be involved in of cyber operations like:

  • Interfering with a mobile phone to prevent a terrorist from being able to communicate with their contacts;
  • Helping to prevent the internet from being used as a global platform for serious crimes, including sexual abuse of children and fraud; and
  • Keeping UK military aircraft safe from targeting by hostile weapons systems.

“For over a century, GCHQ has worked to keep the UK safe. Cyber security has become an integral part of this mission as we strive to make the UK the safest place to live and do business online. We are a world-leading cyber power.” said Director GCHQ Jeremy Fleming.

“Today the National Cyber Force builds out from that position of defensive strength. It brings together intelligence and defence capabilities to transform the UK’s ability to contest adversaries in cyber space, to protect the country, its people and our way of life. Working in close partnership with law enforcement and international partners, the National Cyber Force operates in a legal, ethical and proportionate way to help defend the nation and counter the full range of national security threats.”

The Prime Minister claims that the injection of £16.5 billion over four years is the biggest investment in the UK’s Armed Forces since the end of the Cold War.

Pierluigi Paganini

(SecurityAffairs – hacking, National Cyber Force)

The post UK reveals new National Cyber Force to improve offensive cyber capabilities appeared first on Security Affairs.