Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Domain Hijacking Assaults. Show all posts

Palo Alto Network: Domain Shadowing is a Prevalent Threat

 

As per Unit 42 of Palo Alto Network’s threat analysis, a fraudulent phishing technique known as domain shadowing is wreaking havoc. The company found that around 12,197 fake domains were shadowed between 25th April to 27th June of 2022, to provide malicious content. 
 
Cyber attackers are using domain shadowing for secretive attacks. Once a threat actor gets access to/hijacks your Domain Name System, they create their sub-domains containing malicious codes under your legitimate and reputed domains to perform malicious activities. The hijacked domains tend to be used in several ways, such as escaping security checks, distributing malicious software, committing fraud, etc. 
 
It is imperative to note that the attackers prepare these shadow domains without altering the functioning of the original domains, which also serves as a safeguard, since the victims are not aware that a threat exists, and the owners of the original domains rarely check on their domains to ensure their security. 
 
However, unit 42 employs a method to detect hacked domains or illegal sub-domains. It entails going through a checklist consisting of steps such as verifying whether the IP address of the domain and the sub-domain is the same or different, verifying whether the domain and sub-domains have been active for a certain period, and verifying the patterns of the domains and sub-domains. 
 
Domain shadowing can be called a new evolution in online threats or fast flux. It has been considered the most effective and hard-to-detect technique used by any malicious attacker to date. The fraudulent actor can access and add tens of thousands of sub-domains into hijacked domains, and as they are available randomly, the next victim’s domain cannot be tracked.  
 
According to Palo Alto Network’s threat researchers, when they became aware of the deceptive phishing technique and the increasing cases associated with it, only 200 of them were potentially harmful. VirusTotal also disclosed that some of these were organized into single phishing campaigns by registering 649 fake or deceptive domains on 16 trusted websites. 
 
The shadowed domains work to steal the user’s login credentials known as the phishing technique. To protect your website or data from domain shadowing, you should adopt new-generation security measures, including connected threat intel platforms and checking on the webpage before entering the credentials.

BlackShadow Hacker Organization Hijacked Cyberserve Firm

 

The Israeli hosting provider Cyberserve has been hacked by the BlackShadow - an Iranian state-sponsored hacking organization to acquire client records and impair the company's services. 

Cyberserve is a web development and hosting company headquartered in Israel that is employed by a variety of organizations, including local radio stations, museums, and educational establishments. 

Beginning on Friday 29th of October, users seeking to access the website hosted by Cyberserve were faced with website problems and notifications indicating that the site was unreachable due to some kind of cybersecurity problem. 

A hacker organization known as BlackShadow claimed credit for the Cyberserve assault and is extorting the hosting firm as well as its users for $1 million in bitcoin in exchange for not leaking stolen data. 

The extortion demand had a 48-hour deadline beginning on Saturday 30th of October, but the hackers almost instantly disclosed a sample of 1,000 documents to establish their point. 

A database holding the personally identifiable information of a big LGBT site called 'Atraf' was stolen as part of the data breach, making the security event highly serious. Putting LGBT individuals in traditional communities at-risk places them in a situation of danger, both physically and mentally. 

"Atraf's team did not contact us for any deals yet so we collected 50 famous Israeli that were surfing and we leak their video's," threatened the hacking group on Telegram. A number of websites hosted by CyberServe, including Atraf, are offline, suggesting that the firm is still addressing the attack. 

This assault has also impacted the following websites: 

  • The Kavim (Dan Bus) public transportation firm. 
  • The Kan public broadcaster. 
  • The Pegasus travel agency. 
  • The Holon Children's Museum. 

BlackShadow is an Iranian state-sponsored hacker outfit with verified ties to the Pay2Key ransomware strain, that has been used against Israeli targets on many occasions. In contrast to traditional ransomware assaults, the threat actors driving BlackShadow are not thought to be monetarily motivated. 

According to Omri Segev Moyal, co-founder and CEO of Israeli cybersecurity firm Profero, these hacker organizations' activities are retaliatory and intended to undermine Israeli interests. 

"The recent attacks from the so-called 'BlackShadow' are just another cycle of the clandestine Iran-Israeli war. It’s a well-constructed InfoOp combined with very weak hacking skills to hurt Israel. We assume the current cycle is also in retaliation for the attack against the gas pumps in Iran last week." - Omri Segev Moyal.

Critical Flaws Allowing Domain Hijacking Assaults Patched By Node.js Developers

 

A vulnerability in Node.js that would permit a remote actor to carry out domain hijacking assaults has been patched. Last week, the developers of the Node.js, a JavaScript runtime environment published a security advisory to warn customers of a potential cyber-attack and to upgrade to the latest version to safeguard their devices against a series of flaws.

The first flaw tracked as CVE-2021-3672/CVE-2021-2293 was a result of improper handling of untypical characters in domain names, which created a doorway to remote code execution (RCE), or cross-site scripting (XSS) exploits. 

The flaw which has been classified in a high-risk category by security researchers also caused application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library. 

A second vulnerability (CVE-2021-22939) is the incomplete validation of “rejectUnauthorized” parameter. However, it falls into a low-risk category. 

The third and final flaw (CVE-2021-22930) which could permit an attacker to abuse memory corruption to change process behavior was included as a follow-up fix after previous mitigations did not completely patch the issue.

Security researchers published the security advisory on the same day that a research paper (PDF) related to this topic was published. Researchers Philipp Jeitner and Haya Shulman demonstrated in the research, titled ‘Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS’ “a new method to launch string injection attacks by encoding malicious payloads into DNS records”. 

Earlier this year, the developers of systeminformation, a popular Node.js package, patched a critical flaw that left applications susceptible to command injection assaults. Systeminformation offers dozens of functions for retrieving detailed hardware, system, and operating system information from servers hosting Node.js applications. The library has more than 850,000 weekly downloads on NPM, the main online repository for the Node.js package 

The vulnerability was caused by a special case of improper parameter checking and array sanitation, Hildebrandt, the maintainer of the Systeminformation, stated. 

“If the input was not sanitized and users had the possibility to pass a JavaScript array as a parameter to the given functions, this could lead to executing malicious code like [a denial of service] DoS on the machine where systeminformation is running,” he further added.