Cyber Victor – a leading blog on cyber security

The Federal Bureau of Investigation (FBI) issued an announcement to inform mobile carriers and the public of the increasing use of Subscriber Identity Module (SIM) swapping by criminals to steal money. From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of about $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million.

SIM swapping is a malicious technique where cyber criminals target mobile carriers to gain access to victims’ bank accounts and virtual currency accounts. Criminal actors conduct SIM swap schemes using these techniques:
Social engineering, insider threat, or phishing techniques.

• Social engineering: Cyber criminals impersonate a victim to trick the mobile carrier into switching the victim’s mobile number to a SIM card in the criminal’s possession
• Insider Threat: Cyber criminals pay off a mobile carrier employee to switch a victim’s mobile number to a SIM card in the criminal’s possession.
• Phishing: Cyber criminals deceive mobile carrier employees into downloading malware used to hack the mobile carrier systems that handle SIM swaps.

“Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number. Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim’s number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim’s phone profile.”

The FBI recommends individuals take the following precautions:

• Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
• Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
• Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.
• Use a variation of unique passwords to access online accounts.
• Be aware of any changes in SMS-based connectivity.
• Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
• Do not store passwords, usernames, or other information for easy login on mobile device applications.

Read more about it here.

Office 365 and Azure Active Directory (Azure AD) customers were the targets of tens of billions of phishing emails and brute force attacks successfully blocked in 2021 by Microsoft.

“From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365,” said Vasu Jakkal, Corporate Vice President for Security, Compliance and Identity at Microsoft.

“Strong identity authentication, such as multifactor authentication (MFA) and passwordless solutions would make it a lot harder for threat actors to brute force their way into their targets’ Microsoft accounts,” Jakkal added.

“Across industries, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021,” Jakkal said.

Microsoft introduced Cyber Signals, a cyber threat intelligence brief informed by the latest Microsoft threat data and research.

Cyber Signals will provide trend analysis and practical guidance to strengthen the defense of its customers.

Read more about it here.

Microsoft says it encountered and successfully mitigated the largest Distributed Denial of Service (DDoS) attack on record in November 2021, when an adversary tried to take down a customer’s Azure services.

The incident involved an unnamed customer in Asia, who uses Microsoft’s Azure cloud computing service. The hacker harnessed 10,000 computers across the globe, including in the US, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan, to generate a massive 3.47Tbps DDoS attack, at a packet rate of 340 million packets per second (pps). The attack lasted for 15 minutes.

“Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak”, Microsoft added.

The amount of traffic exceeds two other DDoS attacks that occuured in December 2021, both in Asia. One was over 2.5 Tbps, and the other was 3.25 Tbps.

Microsoft seems to have defended all attacks without an incident.

Read more about it here.

Researchers from security firm Avanan uncovered in December 2020 a phishing campaign with a new technique that abuses the commenting feature of Google Docs to send out malicious emails. Google Docs is used by many users working or collaborating remotely, so most recipients of these emails are familiar with these Google notifications.

Hackers use their Google account to create a Google Document, and then add a comment to it, mentioning the target with an @. Google then sends an email notification to the target’s inbox, informing them that another user has commented on a document and mentioned them. The comment on the email notification can contain malicious links that lead to a malicious or phishing web site. The phishing emails bypass email security checkpoints, because they are coming from a trusted source, Google. To make matters worse, the hackers’ email address isn’t shown in the email notification, and the recipient only sees a name. This makes impersonation very easy, and raises the chances of success for the hackers.

The researchers reported the same outcome when attempting to exploit Google Slides, Google Suite’s presentation app.

What users can do:

• Avoid clicking on links that arrive via email and are embedded on comments
• Confirm that the sender’s email address matches your colleague’s (or claimed person)
• If unsure, reach out to the sender and confirm they meant to send that document
• Deploy additional security measures that apply stricter file sharing rules on Google Suite

Read more about it here.

The US Federal Trade Commission issued a warning that it will take legal action against companies that fail to remediate the recent Log4j vulnerability.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

The post adds: “According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers… The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

The FTC recommends companies use the Cybersecurity and Infrastructure Security Agency (CISA) guidance, and:

• Update the Log4j software package to the most current version found here.
• Consult CISA guidance to mitigate this vulnerability.
• Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
• Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Read more about it here.

The US Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of an open-source scanner for identifying web services impacted by Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

CISA said it modified a Log4j scanner created by security company FullHunt, with the help of other researchers like Philipp Klaus, Andrei Fokau, and Moritz Bechler.

This Log4j scanner provided by CISO implements the following features:

• Support for lists of URLs
• Support for DNS callback for vulnerability discovery and validation
• Fuzzing for more than 60 HTTP request headers
• Fuzzing for HTTP POST Data parameters
• Fuzzing for JSON data parameters
• WAF Bypass payloads

Similarly, US cybersecurity company CrowdStrike released its own free Log4j scanner called the CrowdStrike Archive Scan Tool, or “CAST”.

Read more about it here.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a “severe risk” for an Apache software vulnerability, known as is CVE-2021-44228. The vulnerability, which affects a Java logging package known as Log4j. The CVE-2021-44228 vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2.

A proof-of-concept exploit for the vulnerability was published on December 9, 2021. Cyber attacks started immediately after, making it a zero-day vulnerability.

Log4j releases 2.15.0 or 2.16.0 fix the issue and should be implemented on systems subject to this vulnerability.

Read more about it here.

Delta-Montrose Electric Association, a local electric cooperative serving western Colorado counties Delta and Montrose, said a cyberattack first detected on November 7, 2021 has disabled its billing systems and wiped out 20 to 25 years’ worth of historic data.

The attack affected the company’s phone, email, billing, and customer account systems, but DMEA said the power grid and fiber network were not touched during the attack.

“DMEA discovered a targeted effort to access portions of our internal network system by an unauthorized third party. As a result, DMEA lost 90% of internal network functions, and a good portion of our data, such as saved documents, spreadsheets, and forms, was corrupted. It also impacted our phones and emails. Our power grid and fiber network remain unaffected by the incident,” said the company statement on its website.

Member billing is expected by the company to be restored on the week of December 6 – 10, 2021.

DMEA has suspended all penalty fees and disconnections for non-payment through January 31, 2022.

Read more about it here.

GoDaddy is an American publicly traded web hosting company and the largest domain registrar in the world.

On November 17, 2021, it discovered unauthorized third-party access to its Managed WordPress hosting environment.

Using a compromised password, an unauthorized third party accessed the provisioning system in GoDaddy’s legacy code base for Managed WordPress. “Upon identifying this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information”, said Demetrius Comes, GoDaddy’s Chief Information Security Officer. He continues:

• Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
• The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
• For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
• For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

Various subsidiaries that resell GoDaddy Managed WordPress were also affected.

Read more about it here.

Costco is an American multinational retail giant that operates a large chain of membership-only retail stores, the fifth-largest retailer worldwide, and the tenth-largest corporation in the US by total revenue according to Fortune 500 rankings. As of March 2021, Costco had 804 stores worldwide, of which 558 are in the US.

Earlier in November 2021, Costco Wholesale Corporation notified its customers of a data breach that may have exposed their payment card information. The potential compromise originated from a credit card skimmer that cyber criminals had installed on a payment terminal at one of Costco’s stored. Costco indicated that once the skimming device was discovered by its personnel, it removed the device and contacted law enforcement agencies to expedite investigations.

“We recently discovered a payment card skimming device at a Costco warehouse you recently visited,” said the letter sent to affected customers. “Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating.” The letter continued: “If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV.”

The retailer advised the customers to monitor their bank and credit card statements for fraudulent activities.

The company did not disclose the number of affected customers.

Read more about it here.