United Nations Organizations Targeted in Ongoing Phishing Campaign

United Nations Organizations Targeted in Ongoing Phishing Campaign

A currently ongoing mobile-aware phishing campaign is targeting various non-governmental entities worldwide, including United Nations humanitarian organizations such as UNICEF, Lookout reports.

The attacks rely on infrastructure that has been live since March 2019 and which includes two domains hosting phishing content, namely session-services[.]com and service-ssl-check[.]com.

The domains resolve to IP addresses 111.90.142.105 and 111.90.142.91 and Lookout has discovered that the associated IP network block and ASN (Autonomous System Number) has a low reputation and was previously observed hosting malware.

What makes the campaign stand out, however, is its ability to detect mobile devices and to log keystrokes as soon as they are entered on the phishing page.

JavaScript code on the fraudulent pages can determine if a mobile device is being used and then delivers mobile-specific content to the user. The attack also relies on the fact that mobile web browsers truncate the URL, which makes it more difficult for the victims to discover the deception.

The password field on the phishing login pages contains key-logging functionality, meaning that the entered characters are still sent to the attackers even if the target doesn’t complete the login operation (by pressing the login button).

Lookout’s security researchers also discovered that some of the SSL certificates used in the campaign are expired, as they had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019.

Such certificates are immediately detected by browsers, which alert users on the matter using very clear warnings that should make it “near impossible to entice a user to enter their login credentials,” Lookout says.

However, given that six certificates used in the campaign continue to be valid, Lookout believes the attacks may be ongoing.

The still-valid certificates should expire between November 15 and November 23. The websites they are used on target the United Nations, the UN Development Programme, the UN World Food Programme, UNICEF, the Heritage Foundation, and the International Federation of the Red Cross and Red Crescent Societies.

“[Security teams] need to identify fraudulent certificates issued by attackers that are being used to impersonate their organization,” Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told SecurityWeek in an emailed comment.

“These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates,” Bocek says. “This may appear sophisticated, but these kinds of phishing attacks are very common.”

Related: ‘Heatstroke’ Phishing Campaign Takes Multi-Stage Approach

Related: Mobile Phishing Attacks Up 85 Percent Annually

Researchers Warn of New Cache-Poisoned DoS Attack Method

Researchers Warn of New Cache-Poisoned DoS Attack Method

A group of security researchers from German universities has devised a new class of web cache poisoning attacks that could render victim services unreachable.

The cache is meant to reduce the volume of network traffic through the reuse of HTTP responses and helps applications scale at large, in addition to providing protection against denial-of-service (DoS) attacks.

Researchers at Cologne University of Applied Sciences and University of Hamburg, Germany, discovered a new attack that involves poisoning the cache with a server-generated error page and then serving useless content instead of the legitimate one.

The attack, the researchers explain in a whitepaper (PDF), works against one proxy cache product and five content delivery network (CDN) services, including prominent solutions that cache high-value websites — Akamai, CDN77, Fastly, Cloudflare, CloudFront, and Varnish allow for error pages to be cached.

“The consequences are severe as one simple request is sufficient to paralyze a victim website within a large geographical region. The awareness of the newly introduced CPDoS attack is highly valuable for researchers for obtaining a comprehensive understanding of causes and countermeasures as well as practitioners for implementing robust and secure distributed systems,” the researchers say.

The attack exploits a general issue in layered systems, where there are differences in interpretation when operating on the same message in sequence. Specifically, the problem arises from the fact that the attacker-generated HTTP request for a cacheable resource contains inaccurate fields that, while ignored by the caching system, raise an error when processed by the origin server.

Thus, the intermediate cache receives an error page from the origin server, meaning that the cache is poisoned with the server-generated error page. Because the useless content renders the victim service unreachable, the new class of attacks was named “Cache-Poisoned Denial-of-Service (CPDoS)”.

During their investigation the researchers empirically studied the manner in which fifteen available web caching solutions behave when handling HTTP requests containing inaccurate fields and caching of resulting error pages, and discovered vulnerable services that have already been alerted on the matter.

The attack exploits the semantic gap in two HTTP engines, one in a shared cache and another in an origin server. In this context, the deployed caching system is more focused on processing requests than the origin server, thus allowing the attacker to introduce harmful headers in the request.

With these headers forwarded without any changes to the origin server, the request runs through the cache without issue, but the processing on the server results in an error. Thus, the server responds with the error, which is then stored and reused by the cache for recurring requests.

This results in each client that makes a GET request to the infected URL receiving a stored error message. According to the whitepaper, a simple request, which is below the detection threshold of web app firewalls and DoS protections, is enough to replace the genuine content in the cache by an error page.

Harmless CPDoS can render images or style resources unavailable, thus affecting the visual appearance of applications, but more serious attacks could render entire web applications inaccessible. Additionally, CPDoS attacks could block patches or firmware updates distributed via caches.

“Attackers can also disable important security alerts or messages on mission-critical websites such as online banking or official governmental websites. Imagine, e.g., a situation in which a CPDoS attack prevents alerts about phishing emails or natural catastrophes from being displayed to the respective user,” the researchers say.

An attacker could exploit this with little effort without the risk of being detected, but with a high probability of success, which means that CPDoS poses a high risk, the researchers say.

In their paper, the researchers present three variations of the general CPDoS attack, namely HTTP Method Override (HMO) – a malicious client crafts a GET request, including an HTTP method overriding header –, TTP Header Oversize (HHO) – the malicious client sends a GET request including a header larger than the limit of the origin server but smaller than the one of the cache –, and HTTP Meta Character (HMC) – similar to HHO, but relying on a request header containing a harmful meta character.

Experiments have revealed that 8 websites of the Department of Defense, over a dozen of the Alexa Top 500 sites, and millions of URLs stored in a data set of the HTTP Archive are vulnerable to CPDoS attacks.

“According to our experiments 11% of the DoD web sites, 30% of the Alexa Top 500 websites and 16% of the URLs in the analyzed HTTP Archive data set are potentially vulnerable to CPDoS attacks. These cached contents include also mission-critical firmware and update files,” the researchers note.

Some of the vulnerable resources are ethereum.org, marines.com, and nasa.gov due to their use of CloudFront as a CDN. On these, the researchers were able to block scripts, style sheets, images, and even dynamic content.

The researchers reported the vulnerabilities to the HTTP implementation vendors and cache providers (including AWS, Microsoft, Play 1, and Flask) in February 2019 and also worked closely with them to eliminate the detected threats.

While excluding error pages from cache appears to be the most intuitive and effective countermeasure against CPDoS attacks, this could impact performance in many cases.

Related: Network DoS Attack on PLCs Can Disrupt Physical Processes

Related: Presidential Phone Alerts Can Be Spoofed, Researchers Say

view counter

Source: Researchers Warn of New Cache-Poisoned DoS Attack Method

Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey

Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey

ATLANTA — SECURITYWEEK 2019 ICS CYBER SECURITY CONFERENCE — Some of the recent cybersecurity incidents involving industrial control systems (ICS) have resulted in injury and even loss of life, according to a survey conducted by Control Systems Cyber Security Association International (CS2AI).

CS2AI is a non-profit organization focused on the growth and expansion of networking opportunities and professional development of everyone involved in the field of control systems cybersecurity. The organization, which currently has over 16,000 members worldwide, is conducting a yearly analysis of the state of ICS cybersecurity through a survey that aims to help answer key questions on how critical systems can be best protected.

Roughly 300 individuals responsible for the cybersecurity of industrial and automation systems have already taken the survey and CS2AI will publish a complete report next month, but some of the data collected so far was presented this week at SecurityWeek’s 2019 ICS Cyber Security Conference in Atlanta. The survey can be taken at any time and the data collected after the first report is published will be used for the next report.

Some of the experts present at the ICS Cyber Security Conference pointed out that many industrial organizations still don’t take cybersecurity seriously, often arguing that they haven’t been or they are unlikely to be targeted by malicious actors.

However, the survey shows — assuming that the respondents answered truthfully — that OT security incidents can have serious consequences when they do occur.

When asked about the impact of ICS security incidents experienced in the past 12 months, roughly 1% of respondents admitted that it resulted in injury and 1% said the incident led to loss of life.

There is no additional information on this handful of incidents as the data was mostly collected anonymously — respondents are given the option to provide their information if they want to register for the opportunity to win a prize.

Approximately a quarter of respondents said the incident led to operational disruptions, and many could not provide an answer due to organizational policies.

Malware-infected removable media drives were named as an attack vector by 34% of respondents and nearly as many have named email (e.g. phishing). Sixteen percent have named hardware or software pre-infected with malware, 12% blamed third-party websites (e.g. watering hole attacks), and 10% blamed infected or compromised mobile devices for the incident suffered by their organization. Physical security breaches and Wi-Fi compromise have also been named by some respondents.

Some organizations have admitted having control systems accessible directly from the internet, including PLCs, HMIs, servers, workstations and historians.

ICS components accessible from the internet

Of all the respondents, 45% have an operational role, followed by individuals in management (20%), leadership (18%) and executive roles (17%). Nearly half of the respondents are from North America and a quarter are from Europe, with the rest representing the APAC, Middle East and Latin America regions.

The top priority of many organizations is risk assessment and management, followed by network perimeter security, and business continuity. Cloud security is at the bottom of the chart and is a priority to only a handful of industrial organizations.

ICS cyber security priorities

When asked about the obstacles in remediating or mitigating ICS vulnerabilities, the most common answer was insufficient expertise, followed by insufficient personnel, operational requirements (e.g. flaws cannot be addressed due to mandatory uptime), insufficient financial resources, and insufficient support from leadership.

The full report from CS2AI will also present data on spending and budgets, awareness training, organizational plans, cybersecurity programs, and security assessments.

Related: Outdated OSs Still Present in Many Industrial Organizations

Related: Many ICS Vulnerability Advisories Contain Errors

Related: Organizations Investing More in ICS Cyber Security

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Source: Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey

DDoS Attack Hits Amazon Web Services

DDoS Attack Hits Amazon Web Services

Amazon Web Services (AWS) customers experienced service interruptions yesterday as the company struggled to fight off a distributed denial-of-service (DDoS) attack.

As part of such an assault, attackers attempt to flood the target with traffic, which would eventually result in the service being unreachable.

While customers were complaining of their inability to reach AWS S3 buckets, on its status page yesterday the company revealed that it was having issues with resolving AWS Domain Name System (DNS) names.

The issues, AWS said, lasted for around 8 hours, between 10:30 AM and 6:30 PM PDT. A very small number of specific DNS names, the company revealed, experienced a higher error rate starting 5:16 PM.

While reporting on Twitter that it was investigating reports of intermittent DNS resolution errors with Route 53 and external DNS providers, Amazon also sent notifications to customers to inform them of an ongoing DDoS attack.

“We are investigating reports of occasional DNS resolution errors. The AWS DNS servers are currently under a DDoS attack. Our DDoS mitigations are absorbing the vast majority of this traffic, but these mitigations are also flagging some legitimate customer queries at this time,” AWS told customers.

The company also explained that the DNS resolution issues were also intermittently impacting other AWS Service endpoints, including ELB, RDS, and EC2, given that they require public DNS resolution.

During the outage, AWS was redirecting users to its status page, which currently shows that all services are operating normally.

One of the affected companies was Digital Ocean, which has had issues with accessing S3/RDS resources inside Droplets across several regions starting October 22.

“Our Engineering team is continuing to monitor the issue impacting accessibility to S3/RDS/ELB/EC2 resources across all regions,” the company wrote on the incident’s status page at 23:25 UTC on Oct 22.

Accessibility to the impacted resources has been restored, but it was still monitoring for possible issues, the company announced yesterday.

Related: Compromised AWS API Key Allowed Access to Imperva Customer Data

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Mirai-Based Botnet Launches Massive DDoS Attack on Streaming Service

view counter

Source: DDoS Attack Hits Amazon Web Services

Microsoft, NIST to Partner on Best Practice Patch Management Guide

Microsoft, NIST to Partner on Best Practice Patch Management Guide

– NIST National Cybersecurity Center of Excellence (NCCoE) has partnered with Microsoft to develop concise industry guidance and standards on enterprise best practice patch management.

The pair is also calling on vendors and organizations to join the effort, including those that provide technology offerings for patch management support or those with successful enterprise patch management experience.

According to Mark Simos, Microsoft’s Cybersecurity Solutions Group lead cybersecurity architect, the effort began following the massive 2017 WannaCry cyberattack. Microsoft released a patch for the targeted flaw months before the global cyber incident, but many organizations failed to patch, which allowed the malware to proliferate.

“We learned a lot from this journey, including how important it is to build clearer industry guidance and standards on enterprise patch management,” Simos wrote.

Over the last year, NCCoE and Microsoft have worked closely with the Center for Internet Security, Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (CISA) to better understand the risks and necessary patching processes.

The groups also sat down with their customers to better understand the challenges and just why organizations aren’t applying timely patches. Microsoft found that many organizations were struggling with determining the right type of testing to use for patch testing, as well as just how quickly patches should be applied.

The project will include building a common enterprise patch management reference architectures and processes. Vendors will also build and validate implementation instructions at the NCCoE lab, and the results will be shared in a NIST Special publication as a practice guide.

For the healthcare sector, a patch management guide would be critical as industry stakeholders have long stressed that patching issues have added significant vulnerabilities to a sector that heavily relies on legacy platforms.

In March, CHIME told Sen. Mark Warner, D-Virginia, that patching, data inventory, and a lack of regulatory alignment are some of healthcare’s greatest vulnerabilities.

To NIST, the issue goes beyond awareness as there is widespread agreement that patching can be effective at mitigate some security risks. Organizations are challenged by the resource-intensive patching process, as well as concern that patching can reduce system and service availability.

Often, attempts to expedite the process, like not testing patches before production deployment can inadvertently break system functionality and disrupt business operations, NIST officials explained. However, patching delays increase the risk a hacker will take advantage of system vulnerabilities.

For NIST, the partnership with Microsoft will examine how both commercial and open-source tools can help with some of the biggest challenges of patching, including “system characterization and prioritization, patch testing, and patch implementation tracking and verification.”

Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge throughout the device lifecycle.

“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” Simos explained. “In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide.”

“This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology,” he added. “Ultimately, we want to make it easier for everyone to do the right thing and are issuing this call to action.”

Interest stakeholders should visit the NCCoE posting in the Federal Register for more information.

Source: Microsoft, NIST to Partner on Best Practice Patch Management Guide