Traditional phishing links lead to registered domains that hosting providers provide. This poses a challenge to threat actors as, normally, hosting providers will respond to complaints and actively take down phishing sites. To combat this some threat actors are now combining the use of reverse tunnel services and URL shorteners to bypass detection and response capabilities.
Reverse tunnels allow threat actors to host phishing pages on their local computers and route connections through external services. Additional URL shortening services can allow for rapid generation of new links to obscure the activity and bypass detection. Some phishing links are even being refreshed in less than 24 hours. CloudSEK, a digital risk protection company, has identified the most widely abused reverse tunnel services to be Ngrok, LocalhostRun, and Cloudflare’s Argo; along with that they have identified Bit.ly, is.gd, and cut.ly as the primary URL shortening services.
(image source: CloudSEK)
As these malicious sites are hosted directly on threat actor-owned computers, victim data is immediately stored and no longer requires exfiltration from the domain. Most of these sites are impersonating banking organizations and attempt to steal credentials, PAN card numbers, unique identification numbers, and mobile phone numbers. This information can then be sold on the dark web for other threat actors to initiate different attacks.
Conduct Regular Social Engineering Testing
When it comes to security, employees are not unlike servers: they require constant ‘patching’ (security awareness training) and ‘updates’ (security reminders) in conjunction with regular testing in order to reduce vulnerabilities and susceptibility to exploitation. Therefore, all personnel should continue to undergo regular awareness training and testing. Seek to pair testing services chronologically with training services in order to have the greatest effect on increasing awareness and reducing susceptibility to social engineering attacks.
Conduct Security Awareness Training
Without proper cybersecurity awareness training, you can’t trust that employees are up to date on the latest cyber risks and how stay protected. Awareness is as much about psychology as security. It is important to provide a complete suite of education, training, testing and measurement services which are all designed to change behaviors and reduce risk.
On June 1, 2022, GitLab Enterprise Edition (EE) 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1 are affected by an account take over vulnerability tracked as CVE-2022-1680. The vulnerability was discovered by the internal GitLab team and no exploitation has been observed.
Any owner of a Premium group can invite users through their username and email and then change those users’ email addresses via SCIM to take over the accounts. This can occur in the absence of multifactor authentication and when group SAML SSO is configured.
Short Term:
GitLab has fixed CVE-2022-1680 in the latest version and all installations running an affected version should be updated as soon as possible.
Long Term:
Consider a Cloud Security Assessment
As organizations continue to move infrastructure, services, applications and other critical data stores from on-premises networks to public or private cloud environments, there’s an immediate need for more robust security solutions. It’s crucial not to assume the transition to cloud platforms is secure by default. Organizations should also consider that not all legacy cybersecurity tools can transition seamlessly into virtualized Cloud environments.
Be sure to examine cloud and related elements to ensure that organizations don’t rely on default or typical security settings to protect critical data. Rely on quality assessments to help you align with best practices and strike the ideal balance between operation and security.
Sources
https://securityonline.info/cve-2022-1680-gitlab-account-take-over-vulnerability/
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html
Brian Krebs recently published a review of the US Department of Justice’s recent policy revision on charging violations of the Computer Fraud and Abuse Act of 1986 (!), which stand as the primary statute used in cybercrime cases. Recent changes aim to define what sort of violations are cybercrime, distinct from efforts performed in “good faith” such as security research or investigation to detect and report vulnerabilities.
It is important to note that this is just a change in interpretation and enforcement by the current DOK, and it underlines the need for changes, updates, and creation of modern laws concerning cybersecurity practitioners and the industry at large. Several notable cases of corporations and municipals entities regarding “friendly” cybersecurity experts as hostile and/or malicious, even when they’ve been contractually engaged to test the security posture of the organization.
Notices or submission of issues are ignored until they are exploited by malicious actors, at which point the organization seeks a scapegoat in the form of the researcher who tried responsibly disclosing an issue and, likely, had no part in the later compromise, even from an informational standpoint.
There is also some uncertainty in the new policy about provisions concerning preventing harm to third parties. Also keep in mind that a policy does nothing to protect a cybersecurity practitioner from civil suits. While the new policy is a step in the right direction, new laws must be formulated to protect and encourage well-meaning cybersecurity researchers and white hat activists, while shifting the advantage away from cybercriminals.
Sources
https://krebsonsecurity.com/2022/06/what-counts-as-good-faith-security-research/
For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.
For non-strategic clients, please reach out to your Advisor for further discussion.
800-403-8350Our Computer Incident Response Teams (CIRTs) have responded to hundreds of breaches, intrusions, malware infections, thefts, employee investigations, fraud cases and other incidents. Our highly-certified experts have extensive experience in command, coordination and correction of incidents in nearly every industry throughout North America, from local businesses to Fortune 500 international conglomerates.
800-403-8350