Category Archives: News

News

Don’t Let Your Domain Name Become a “Sitting Duck”

Read Time:7 Minute, 46 Second

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.

Image: Shutterstock.

Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses.

When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain.

But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough information about the domain and can’t resolve queries to find it. A domain can become lame in a variety of ways, such as when it is not assigned an Internet address, or because the name servers in the domain’s authoritative record are misconfigured or missing.

The reason lame domains are problematic is that a number of Web hosting and DNS providers allow users to claim control over a domain without accessing the true owner’s account at their DNS provider or registrar.

If this threat sounds familiar, that’s because it is hardly new. Back in 2019, KrebsOnSecurity wrote about thieves employing this method to seize control over thousands of domains registered at GoDaddy, and using those to send bomb threats and sextortion emails (GoDaddy says they fixed that weakness in their systems not long after that 2019 story).

In the 2019 campaign, the spammers created accounts on GoDaddy and were able to take over vulnerable domains simply by registering a free account at GoDaddy and being assigned the same DNS servers as the hijacked domain.

Three years before that, the same pervasive weakness was described in a blog post by security researcher Matthew Bryant, who showed how one could commandeer at least 120,000 domains via DNS weaknesses at some of the world’s largest hosting providers.

Incredibly, new research jointly released today by security experts at Infoblox and Eclypsium finds this same authentication weakness is still present at a number of large hosting and DNS providers.

“It’s easy to exploit, very hard to detect, and it’s entirely preventable,” said Dave Mitchell, principal threat researcher at Infoblox. “Free services make it easier [to exploit] at scale. And the bulk of these are at a handful of DNS providers.”

SITTING DUCKS

Infoblox’s report found there are multiple cybercriminal groups abusing these stolen domains as a globally dispersed “traffic distribution system,” which can be used to mask the true source or destination of web traffic and to funnel Web users to malicious or phishous websites.

Commandeering domains this way also can allow thieves to impersonate trusted brands and abuse their positive or at least neutral reputation when sending email from those domains, as we saw in 2019 with the GoDaddy attacks.

“Hijacked domains have been used directly in phishing attacks and scams, as well as large spam systems,” reads the Infoblox report, which refers to lame domains as “Sitting Ducks.” “There is evidence that some domains were used for Cobalt Strike and other malware command and control (C2). Other attacks have used hijacked domains in targeted phishing attacks by creating lookalike subdomains. A few actors have stockpiled hijacked domains for an unknown purpose.”

Eclypsium researchers estimate there are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for malicious use since 2019.

“As of the time of writing, numerous DNS providers enable this through weak or nonexistent verification of domain ownership for a given account,” Eclypsium wrote.

The security firms said they found a number of compromised Sitting Duck domains were originally registered by brand protection companies that specialize in defensive domain registrations (reserving look-alike domains for top brands before those names can be grabbed by scammers) and combating trademark infringement.

For example, Infoblox found cybercriminal groups using a Sitting Duck domain called clickermediacorp[.]com, which was initially registered on behalf of CBS Interactive Inc. by the brand protection firm MarkMonitor.

Another hijacked Sitting Duck domain — anti-phishing[.]org — was registered in 2003 by the Anti-Phishing Working Group (APWG), a cybersecurity not-for-profit organization that closely tracks phishing attacks.

In many cases, the researchers discovered Sitting Duck domains that appear to have been configured to auto-renew at the registrar, but the authoritative DNS or hosting services were not renewed.

The researchers say Sitting Duck domains all possess three attributes that makes them vulnerable to takeover:

1) the domain uses or delegates authoritative DNS services to a different provider than the domain registrar;
2) the authoritative name server(s) for the domain does not have information about the Internet address the domain should point to;
3) the authoritative DNS provider is “exploitable,” i.e. an attacker can claim the domain at the provider and set up DNS records without access to the valid domain owner’s account at the domain registrar.

Image: Infoblox.

How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years. The list includes examples for each of the named DNS providers.

In the case of the aforementioned Sitting Duck domain clickermediacorp[.]com, the domain was originally registered by MarkMonitor, but it appears to have been hijacked by scammers by claiming it at the web hosting firm DNSMadeEasy, which is owned by Digicert, one of the industry’s largest issuers of digital certificates (SSL/TLS certificates).

In an interview with KrebsOnSecurity, DNSMadeEasy founder and senior vice president Steve Job said the problem isn’t really his company’s to solve, noting that DNS providers who are also not domain registrars have no real way of validating whether a given customer legitimately owns the domain being claimed.

“We do shut down abusive accounts when we find them,” Job said. “But it’s my belief that the onus needs to be on the [domain registrants] themselves. If you’re going to buy something and point it somewhere you have no control over, we can’t prevent that.”

Infoblox, Eclypsium, and the DNS wiki listing at Github all say that web hosting giant Digital Ocean is among the vulnerable hosting firms. In response to questions, Digital Ocean said it was exploring options for mitigating such activity.

“The DigitalOcean DNS service is not authoritative, and we are not a domain registrar,” Digital Ocean wrote in an emailed response. “Where a domain owner has delegated authority to our DNS infrastructure with their registrar, and they have allowed their ownership of that DNS record in our infrastructure to lapse, that becomes a ‘lame delegation’ under this hijack model. We believe the root cause, ultimately, is poor management of domain name configuration by the owner, akin to leaving your keys in your unlocked car, but we acknowledge the opportunity to adjust our non-authoritative DNS service guardrails in an effort to help minimize the impact of a lapse in hygiene at the authoritative DNS level. We’re connected with the research teams to explore additional mitigation options.”

In a statement provided to KrebsOnSecurity, the hosting provider and registrar Hostinger said they were working to implement a solution to prevent lame duck attacks in the “upcoming weeks.”

“We are working on implementing an SOA-based domain verification system,” Hostinger wrote. “Custom nameservers with a Start of Authority (SOA) record will be used to verify whether the domain truly belongs to the customer. We aim to launch this user-friendly solution by the end of August. The final step is to deprecate preview domains, a functionality sometimes used by customers with malicious intents. Preview domains will be deprecated by the end of September. Legitimate users will be able to use randomly generated temporary subdomains instead.”

What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.

[Side note: Infoblox observed that many of the hijacked domains were being hosted at Stark Industries Solutions, a sprawling hosting provider that appeared two weeks before Russia invaded Ukraine and has become the epicenter of countless cyberattacks against enemies of Russia].

Both Infoblox and Eclypsium said that without more cooperation and less finger-pointing by all stakeholders in the global DNS, attacks on sitting duck domains will continue to rise, with domain registrants and regular Internet users caught in the middle.

“Government organizations, regulators, and standards bodies should consider long-term solutions to vulnerabilities in the DNS management attack surface,” the Infoblox report concludes.

Read More

News

Are Ransomware Attacks Still a Growing Threat in 2024?

Read Time:8 Minute, 3 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Ransomware attacks continue to pose a growing threat to organizations as it has emerged as the number one threat, affecting 66% of organizations in 2023 and pulling over $1 billion from the victims. These attacks have increased in frequency and sophistication, resulting in significant financial loss, operation disruption, theft of sensitive data, and reduced productivity rates. Also, it damages the organization’s reputation and results in the loss of customer trust and compliance violations. An organization needs a comprehensive protection strategy to reduce the frequency of these attacks and the risks they pose.

Ransomware Business Model: How These Attacks Are Evolving?

In the past, ransomware attacks mainly relied on phishing emails, remote desktop protocol exploits, and vulnerable ports to increase their chances of success. Additionally, these attacks employ evasion techniques to bypass traditional security measures like firewalls or antivirus software. These methods have resulted in famous attacks like WannaCry, TeslaCrypt, and NotPetya.

With time, ransomware attackers have evolved and have become more sophisticated, targeted, and profitable for cybercriminals. Below is an insight into the latest trends that hackers adopt to launch a successful ransomware attack:

Exploiting Zero-Day Vulnerabilities

The shift in ransomware gangs and their sophisticated tactics and procedures (TTPs) raise the number of ransomware attacks. . Previously, REvil, Conti, and LockBit were the famous ransomware gangs, but now Clop, Cuban, and Play are gaining immense popularity by employing advanced hacking techniques like zero-day vulnerabilities.

Sophos’s State of Ransomware 2024 revealed exploited vulnerabilities as the root cause of ransomware attacks. The Clop ransomware gang has used the zero-day vulnerability in the MOVEit Transfer platform to steal the sensitive data of different organizations. This group also targeted the GoAnywhere zero-day vulnerability in January 2023, affecting 130 organizations, and exploited the Accellion FTA servers in 2020. Similarly, Cuban and Play used the same attacking technique to compromise the unpatched Microsoft Exchange servers.

Double and Triple Extortion

Another reason for the rise in ransomware attacks is the introduction of the double or triple extortion technique. Cybersecurity firm Venafi reported that 83% of ransomware attacks included multiple ransom demands in 2022.

Cybercriminals encrypt the data, exfiltrate sensitive information, and threaten to release it or sell it on the dark web if the ransom is not paid in a double extortion scheme. This tactic proves to be highly effective as it holds the victim’s data hostage and also introduces the risk of regulatory non-compliance and reputational damage.

With the increased pressure on victims to comply with the attacker’s demands, it’s found that 62.9% of the ransomware attack victims agree to pay the ransom without having any guarantee of getting the data back. Like during the MCNA Dental breach, the ransomware gang LockBit published all the data on their leak site before the company paid the ransom.

Similarly, a triple extortion ransomware attack adds a third vector, which could be a distributed denial-of-service (DDoS) attack. Ransomware operators seek ransom by putting extra pressure on the organization or even threaten downtime or regulatory issues. Multiple threat actors have used this tactic, such as Vice Society, in an attack against the San Francisco Bay Area Rapid Transit system.

Ransomware-as-a-Service Model (RaaS)

Ransomware infections saw a sharp increase in the first half of 2023 as they were 50% up with the Ransomware-as-a-Service (RaaS) model. With these kits, attackers carry out attacks faster, with the average number of days to execute the attack being four from 60 days.

The Ransomware-as-a-Service (RaaS) model operates on a subscription or commission-based system, making it accessible to individuals with minimum technical expertise. Threat actors no longer need advanced coding skills as they can rent tools from underground markets to launch more devastating attacks.

The RaaS operators like AlphaV, Conti, and REvil are available on the dark web with a range of features and bundles that enable non-technical or amateur hackers to launch successful ransomware attacks. In exchange, these affiliates deduct a hefty amount as a profit gain from the ransom amount. This shift broadens the reach of cyber criminals and increases the frequency and diversity of ransomware infections. All this has posed a significant challenge for individuals, businesses, and critical infrastructure.

The rise of RaaS operators has severe consequences for businesses, including financial and regulatory penalties, operational disruption, and reputational damage. During the infamous ransomware attack on the UnitedHealth subsidiary, Change Healthcare admitted paying a ransom demand of allegedly $22 million to the ALPHV gang. They used stolen credentials to log into the company’s Citrix remote access service, which lacks multi-factor authentication. This attack has caused an overall loss of $87 million as of April 2024, and it will likely increase until all investigations are completed.

More Targeted Attacks on IoMT Devices

With the rapid proliferation of the Internet of Medical Things (IoMT) devices like wearable trackers, remote patient monitoring systems, and patient monitoring sensors, healthcare networks are accessed by third-party devices. Unfortunately, this has increased vulnerabilities that attackers can exploit to spread ransomware infection.

According to a study by the Ponemon Institute in 2022, 43% of healthcare organizations in the USA experienced a ransomware attack, and 76% experienced an average of three or more. It also reported that IoMT devices are the primary cause for 21% of all ransomware attacks and lead to adverse effects on patient care.

Recently, Nozomi Network Lab found nearly a dozen security flaws in the GE HealthCare Vivid Ultrasound family and its associated software. The same study further concluded that threat actors could exploit the vulnerabilities to access and alter patient data and install ransomware, eventually disrupting hospital workflow and damaging reputation.

These attacks cause hefty monetary losses and downtime in healthcare services and degrade patient care. For example, a ransomware attack on Medstar Washington Hospital caused the facility to shut down its services completely. Similarly, in another event, a hospital in Los Angeles paid $17,000 in bitcoins as ransom to free its systems.

AI-Powered Ransomware Attacks

The rise of generative AI is another growing concern, as it could lead to more advanced ransomware exploitation in 2024 and beyond. The UK’s National Cyber Security Centre (NCSC) issued a report warning that malicious attackers are using AI to evolve ransomware attacks by running advanced reconnaissance.

AI-enabled ransomware attackers can exploit security weaknesses within existing cybersecurity defenses by using AI for reconnaissance. Attackers can also detect and exploit entry points that traditional defenses may neglect. This includes security misconfigurations and zero-day vulnerabilities in software and systems, which further makes it difficult to mitigate against such attacks.

Attackers can also use generative AI to automate various stages of the ransomware infection process. All this increases the efficiency of attacks and reduces the need for human intervention.

Intermittent Encryption

Ransomware attackers even use intermittent encryption tactics to launch attacks. Under this encryption method, they partially encrypt the victims’ files and evade the detection systems, causing significant damage. A security vendor discovered this trend in 2021 when the LockBit gang used it. But, in 2022, security researchers found other ransomware gangs, including Black Basta, Blackcat, PLAY, Agenda, and Qyick, using it as an attack vector.

Supply Chain Attacks

Threat actors are targeting supply chain companies to maximize the attack’s impact. A weak supply chain leads to ransomware attacks, with 64% of companies believing that the ransomware gangs infiltrate their network via business partners or suppliers.

Instead of extorting the supply chain company, hackers extort their customers. This way, they target multiple companies from a single breach. The most famous example of such a tactic is the Kaseya attack that affected Kaseya and its 1,500 other customers.

Fighting Back Against Ransomware Attacks

Cybersecurity Ventures predicted that the global ransomware cost will exceed $265 billion annually by 2031, with a new attack occurring every two seconds. As ransomware attacks are getting more profitable, organizations must start taking actions to prevent the operational, financial, and legal consequences of the attacks. Some proactive security measures include:

● Employees should receive regular cybersecurity education and ICS cybersecurity training to recognize common attack vectors and strengthen their security posture. Also, the training must emphasize the importance of adhering to security policies and procedures.

● Use extended detection and response (XDR) solutions to continuously monitor and analyze behavior in real-time. It also detects malicious code, deletes their source, quarantines suspicious files, and disconnects or removes the affected endpoint from the network.

● Perform regular security tests, monitoring the suppliers and encrypting the data in transit and at rest to prevent software supply chain attacks.

● Develop a comprehensive incident response plan that outlines essential steps to take if a ransomware attack occurs. This includes isolating affected systems, preserving evidence, notifying relevant parties, and collaborating with law enforcement agencies.

● Adopt the zero-trust approach that requires all the users and devices to verify and authenticate their identity to access the network data and resources. This prevents unauthorized access and mitigate suspicious activities.

● Use patch management tools as they help prevent ransomware attacks by updating the system, software, and applications with the latest patches.

Final Words

Ransomware attacks are becoming the most threatening malware to hit the digital age. They have grown in frequency and severity because attackers’ are changing their tactics to increase their success rate. Companies must add more security measures to control these attacks and improve their cybersecurity defense practices. Employees must receive training and be aware in order to respond promptly when such an attack occurs.

Read More

News

The AI Fix #9: When AI detectors fail (spectacularly), and OpenAI’s five steps to Skynet

Read Time:22 Second

In episode nine of “The AI Fix”, our hosts learn about the world’s most dangerous vending machine, a cartoonist who hypnotises himself with AI, and OpenAI’s plans to eat Google’s lunch.

Graham tells Mark about a pig-farming professor, and Mark tests Graham’s tolerance with OpenAI’s terrifying roadmap to Artificial General Intelligence.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

Read More