Cyber  2024  2023  2022 2021 2020  CYBERCRIME 2022 2021 2020


DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight
1.8.24 
Cyber  The Hacker News
Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.

The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).

"Before issuing a certificate to a customer, DigiCert validates the customer's control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF)," it said.

One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same.

The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actual subdomain that uses the same random value.

What the Utah-based company found was that it had failed to include the underscore prefix with the random value used in some CNAME-based validation cases.

The issue has its roots in a series of changes that were enacted starting in 2019 to revamp the underlying architecture, as part of which the code adding an underscore prefix was removed and subsequently "added to some paths in the updated system" but not to one path that neither added it automatically nor checked if the random value had a pre-appended underscore.

"The omission of an automatic underscore prefix was not caught during the cross-functional team reviews that occurred before deployment of the updated system," DigiCert said.

"While we had regression testing in place, those tests failed to alert us to the change in functionality because the regression tests were scoped to workflows and functionality instead of the content/structure of the random value."

"Unfortunately, no reviews were done to compare the legacy random value implementations with the random value implementations in the new system for every scenario. Had we conducted those evaluations, we would have learned earlier that the system was not automatically adding the underscore prefix to the random value where needed."

Subsequently, on June 11, 2024, DigiCert said it revamped the random value generation process and eliminated the manual addition of the underscore prefix within the confines of a user-experience enhancement project, but acknowledged it again failed to "compare this UX change against the underscore flow in the legacy system."

The company said it didn't discover the non-compliance issue until "several weeks ago" when an unnamed customer reached out regarding the random values used in validation, prompting a deeper review.

It also noted that the incident impacts approximately 0.4% of the applicable domain validations, which, according to an update on the related Bugzilla report, affects 83,267 certificates and 6,807 customers.

Notified customers are recommended to replace their certificates as soon as possible by signing into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing them after passing DCV.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish an alert, stating that "revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication."

Update#
"DigiCert continues to actively engage with customers impacted by this incident and many of them have been able to replace their certificates," the company said. "Some customers have applied for a delayed revocation due to exceptional circumstances and we are working with them on their individual situations. We are no longer accepting any applications for delayed revocation."

These include customers operating critical infrastructure, who it said, "are not in a position to have all their certificates reissued and deployed in time without critical service interruptions." It further noted that all impacted certificates, regardless of circumstances, will be revoked no later than August 3, 2024, 7:30 p.m. UTC.


New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries
31.7.24 
Cyber  The Hacker News
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.

The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.

"SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week.

Cybersecurity
The latest set of attacks employ lures related to sexual harassment, employee termination, and salary cuts in order to negatively impact the recipients' emotional state and trick them into opening booby-trapped Microsoft Word documents.

Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk[.]com") to retrieve an RTF file.


The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that's responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.

It's currently not known what's delivered by means of the JavaScript malware, although the end goal is likely to be intelligence gathering based on prior campaigns mounted by SideWinder.

"The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions," BlackBerry said. "The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future."

The disclosure comes as a suspected Russian-linked threat actor is targeting entities interested in Indian political affairs with a Go-based remote access trojan (RAT) that's delivered via a .NET loader launched from Windows shortcut (LNK) files disguised as Office documents. The activity has been codenamed Operation ShadowCat.


LockBit Ransomware Hacker Ordered to Pay $860,000 After Guilty Plea in Canada
14.3.24  Cyber  The Hacker News
A 34-year-old Russian-Canadian national has been sentenced to nearly four years in jail in Canada for his participation in the LockBit global ransomware operation.

Mikhail Vasiliev, an Ontario resident, was originally arrested in November 2022 and charged by the U.S. Department of Justice (DoJ) with "conspiring with others to intentionally damage protected computers and to transmit ransom demands in connection with doing so."

News of Vasiliev's jail term was first reported by CTV News.

The defendant, who had his home searched by Canadian law enforcement authorities in August and October 2022, is said to have kept a list of "prospective or historical" victims and screenshots of communications exchanged with "LockBitSupp" on the Tox messaging platform.

The raid also uncovered a text file with instructions to deploy LockBit ransomware, the ransomware source code, and a control panel used by the e-crime group to deliver the file-locking malware.

Vasiliev, according to CTV News, pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges last month. During the sentencing, he was characterized by Justice Michelle Fuerst as a "cyber terrorist" who was "motivated by his own greed."

He is believed to have become a cyber criminal while at home during the COVID-19 pandemic, attempting to seek ransom payments from three Canadian companies between 2021 and 2022 by stealing their data and holding it hostage.

Vasiliev, who has consented to being extradited to the U.S., has also been ordered to pay back more than $860,000 in restitution.

One of the most prolific ransomware groups in history, LockBit suffered a huge blow in February 2024, when its infrastructure was seized in a coordinated law enforcement operation. The disruption was accompanied by arrests of three LockBit affiliates in Poland and Ukraine.

Although the group reemerged with a new data leak site, there is evidence to suggest that the new victims being listed are either old or fake, designed to give an impression that the group is back up and running.

The development arrives as a federal jury in Washington, D.C., convicted Roman Sterlingov, a dual Russian-Swedish national, for his operation of Bitcoin Fog from 2011 through 2021, facilitating the laundering of profits made from the sale of illegal narcotics, computer crimes, stolen identities, and child sexual abuse material.

Ilya Lichtenstein, who pleaded guilty in August 2023 to the theft of about 120,000 bitcoin in connection to the hack of the Bitfinex cryptocurrency exchange, testified last month how he had used Bitcoin Fog 10 times to launder the virtual assets, Bloomberg reported.

"Bitcoin Fog was the longest-running cryptocurrency 'mixer,' gaining notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement," the DoJ said.

"Over the course of its decade-long operation, Bitcoin Fog moved over 1.2 million bitcoin, which was valued at approximately $400 million at the time of the transactions."


Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams
5.3.24  Cyber  The Hacker News

A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.

"Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia," Infoblox said in a report published last week.

Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks.

Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots.

The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thereby allowing threat actors to evade detection since at least August 2021.

A CNAME record is used to map a domain or subdomain to another domain (i.e., an alias) instead of pointing to an IP address. One advantage with this approach is that when the IP address of the host changes, only the DNS A record for the root domain needs to be updated.

Savvy Seahorse leverages this technique to its advantage by registering several short-lived subdomains that share a CNAME record (and thus an IP address). These specific subdomains are created using a domain generation algorithm (DGA) and are associated with the primary campaign domain.

The ever-changing nature of the domains and IP addresses also makes the infrastructure resistant to takedown efforts, allowing the threat actors to continuously create new domains or alter their CNAME records to a different IP address as their phishing sites are disrupted.

While threat actors like VexTrio have used DNS as a TDS, the discovery marks the first time CNAME records have been used for such purposes.

Victims who end up clicking the links embedded on Facebook ads are urged to provide their names, email addresses, and phone numbers, after which they are redirected to the bogus trading platform for adding funds to their wallets.

"An important detail to note is the actor validates the user's information to exclude traffic from a predefined list of countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, although their reasoning for choosing these specific countries is unclear," Infoblox noted.

The development comes as Guardio Labs revealed that thousands of domains belonging to legitimate brands and institutions have been hijacked using a technique called CNAME takeover to propagate spam campaigns.