DigiCert DCV issue, Sitting Ducks and more - This Week In Security

ArvinF is your editor of F5 SIRT's This Week In Security covering 28 July to August 3 2024.

We just went thru and witnessed one of the biggest IT related outages a few weeks back, referring to the Crowdstrike falcon sensor update that caused BSOD on Windows systems. The previous TWIS (Didn't)KnowBe4, (In)Secure Boot, 91Won't, and, of course, CrowdStrike | DevCentral  have a great summary on this. Let's see what we have this week's edition.

DigiCert DCV issue

Digicert, a certificate authority had to revoke TLS certificates due to improper Domain Control Verification (DCV). One of these verification method is a customer adding a DNS CNAME record which includes a random value provided to them by DigiCert. This random value must start/prefix with an underscore.

It turns out that during DigiCert CertCentral  application's migration/modernization back in 2019,  the legacy code that added the prefix underscore character was not removed. 

Per Digicert's RCA, this missing code/functionality was not caught during testing and no review was done to compare the old and new random value implementation.

This flaw will potentially cause collision of CNAMEs for organizations per the random value generated by Digicert for DCV use and  organizations that may use the same CNAMEs for their respective domains. 

Per strict CA/Browser Forum (CABF) rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception.

This now becomes a headache for Digicert's customers, approx 7000 of them, to replace these TLS certificates that will fail DCV checks.

I hope these affected customers have automation tools and integration in place to replace TLS certificates on fleets of web servers, load balancers and systems and make use of applicable deployment options - Rolling, Canary, A/B Testing, etc - to minimize downtime.

What strikes me on this Digicert issue is that we just saw Crowdstrike failure to test an update to their falcon sensor that caused numerous system going BSOD.

As an industry, we should aim to deploy secure applications and services.

DigiCert gives unlucky folks 24 hours to replace doomed certificates after code blunder

https://www.theregister.com/2024/07/31/digicert_certificates_revoked/

More than 83K certs from nearly 7K DigiCert customers must be swapped out now

https://www.theregister.com/2024/07/31/digicert_certificates_extension/

DigiCert Revocation Incident (CNAME-Based Domain Validation)

https://www.digicert.com/support/certificate-revocation-incident

Sitting Ducks DNS attack

In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner’s account at either the DNS provider or registrar. Once the actor has control of the domain, they can conduct any form of malicious activity under the guise of the legitimate owner. This includes malware delivery, phishing campaigns, brand impersonation and data exfiltration. Exploitable domains are not rare; we estimate that over a million domains are exploitable on any given day and we have identified multiple methods to identify vulnerable domains.

1. A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation.
2. A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service.
3. The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains.
4. The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar.

Who Knew? Domain Hijacking Is So Easy

https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/

Figure A common Sitting Ducks attack sequence

• a domain, brand[.]com, is registered with Registrar A by Brand Inc.
• the domain owner, Brand Inc., establishes authoritative DNS services with the provider Auth DNS B, which may optionally be the web hosting provider
• the domain brand[.]com is used by Brand Inc. as a website
• after some time, Brand Inc. no longer actively uses the domain brand[.]com, but retains ownership of the domain name through Registrar A
• the authoritative DNS, or web hosting, service for brand[.]com with Auth DNS B expires
• the attacker creates an account with provider Auth DNS B
• the attacker “claims” the domain brand[.]com
• the attacker creates a fake Brand Inc. website and configures DNS at Auth DNS B to resolve IP address record requests to the fake website address
• the attacker sends phishing emails to victims impersonating Brand Inc.
• the victim is infected with malware
• the legitimate domain owner Brand Inc. attempts to configure DNS records for brand[.]com at DNS provider Auth DNS B and is denied

A stricter verification process on registering and modifying registered domains would have helped in the mitigation.

The recommendations section of infoblox's article provides guidance in the mitigation. "Everyone has a role in stopping Sitting Ducks attacks."

Russia takes aim at Sitting Ducks domains, bags 30,000+

https://www.theregister.com/2024/07/31/domains_with_delegated_name_service/

The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean

https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

OneBlood ransomware attack

A ransomware attack against blood-donation nonprofit OneBlood, which services more than 250 American hospitals, has "significantly reduced" the org's ability to take, test, and distribute blood.

In a notice today, OneBlood revealed the intrusion disrupted a "software system," and had forced the organization to use manual processes and procedures to remain operational. The outfit provides blood for healthcare facilities across Florida, Georgia, North Carolina, and South Carolina.

This attack on OneBlood is fairly similar to what happened to Synnovis  in June orchestrated by the threat group Qilin.

CDK breach, Qilin Synnovis attack, Velvet Ant and Nobelium Threat Groups | DevCentral 

Organizations should implement cybersecurity mitigation strategies and have a culture of security. The way I see it, any organization is a gateway / pivot point for threat groups to a much larger target. By protecting an organizations systems, we block one more path to other targets.  

Ransomware infection cuts off blood supply to 250+ hospitals

https://www.theregister.com/2024/07/31/ransomware_blood_supply_hospital/

Germany does not like China hacking its infrastructure 

Suspected China state sponsored cyber-attack on Germany's  geospatial agency BKG was not taken kindly.

Germany's Federal minister of the interior  declares "This serious cyber-attack on a federal authority shows how great the danger is from Chinese cyber-attacks." and called on to China to "refrain from and stop such cyber-attacks."

The report notes that the attacks had an intention for espionage.  "The attackers compromised end devices belonging to private individuals and companies in order to use them for their attack (use of so-called obfuscation networks ). "

This news came out the same time as the US ponders on further sanctions on tech exports to China – this time covering high-bandwidth memory (HBM) and the kit to make it. HBM is needed in GPUs and servers capable of running AI workloads at decent speed, and the United States is concerned that China will use such hardware to advance its military capabilities.

My comment on the OneBlood article applies here as well - implement cybersecurity mitigation strategies and have a culture of security.

Germany names China as source of attack on government geospatial agency

https://www.theregister.com/2024/08/01/germany_accuses_china_of_cyberattack/

A serious cyberattack on the Federal Office of Cartography and Geodesy can be attributed to Chinese state attackers and was used for espionage

US Weighs Restrictions on China’s Access to AI Memory Chips

Update on UK NCSC ACD - 2.0

The UK's National Cyber Security Centre (NCSC) says it's in the planning stages of bringing a new suite of services to its existing Active Cyber Defence (ACD) program.

Per NCSC's blog, "Active Cyber Defence (ACD) seeks to reduce the harm from commodity cyber-attacks by providing tools and services that protect from a range of attacks."

"In pursuit of this goal, we have set these principles for ACD 2.0:

The NCSC will only deliver solutions where the market is not able to – whether that’s due to our unique position in government, scaling abilities, capabilities or authorities

The NCSC will look to divest most of our new successful services within 3 years – to another part of government or the private sector to run on an enduring basis"

I think that advancing and addressing gaps in cyber-security solutions is a great effort. Consulting the academia and industry is also critical as these organizations provides insights, ideas and expertise that a government may have limited resources for.  

UK plans to revamp national cyber defense tools are already in motion

https://www.theregister.com/2024/08/02/uk_ncscs_plans_to_revamp/

Introducing Active Cyber Defence 2.0

https://www.ncsc.gov.uk/blog-post/introducing-active-cyber-defence-2

EvilProxy phishing kit used in millions of attacks

The developers of EvilProxy – a phishing kit dubbed the "LockBit of phishing" – have produced guides on using legitimate Cloudflare services to disguise malicious traffic. This adds to the ever-growing arsenal of tools offering criminals who lack actual technical expertise to get into the digital thievery biz.

The attack starts with a phishing email that purports to be from a trusted service like Cloudflare, Adobe, or DocuSign. These messages include a link redirecting users through legitimate websites such as YouTube or SlickDeals. In this step, the attacker encodes the username within the URL. After a series of redirections, ultimately, the user is redirected to the actual phishing website that mimics the victim organization's Microsoft login page. It is deployed using the EvilProxy phishing framework, which can fetch content dynamically from the real login site, and it functions as a reverse proxy, sending the victim to the actual website. This allows the criminals to intercept server requests and responses, thus enabling attacker-in-the-middle scenarios.

The attacker can then steal session cookies and MFA tokens, which allow sign in to legitimate Microsoft accounts.

"While most EvilProxy campaigns are not attributable to tracked threat actors, Proofpoint has seen at least two notable threat actors recently adopt the use of EvilProxy: TA4903 and TA577," Blackford wrote.

Similarly, TA4903 – better known for business email compromise (BEC) attacks – has used EvilProxy for credential phishing expeditions in pursuit of email inbox access, business email compromise (BEC), and follow-on phishing campaigns.

The rise in EvilProxy and similar phishing kits illustrates the need for network defenders to use phishing-resistant MFA such as FIDO-based physical security keys as well as cloud security tools that detect initial account compromise and post-compromise activities, according to Proofpoint and Menlo.

Additionally, user awareness and ongoing employee training are always important to protect against phishing and other threats.

'LockBit of phishing' EvilProxy used in more than a million attacks every month

https://www.theregister.com/2024/07/30/evilproxy_phishing_kit_analysis/

How About some Revenge - wasting Angry scammers time

Scamming has destroyed many. These includes the elderly and even normal people. It’s heart breaking to see or know that an elderly person's hard earned savings goes to scammers. Very likely, the details used by these scammers to track down potential victims came from a breach of an organization.

I saw these Youtube videos where the scammers time was wasted. That takes away time from them to scam other potential victims.  These videos is somewhat of a revenge, but I think, the awareness that we should help and educate potential scam victims is the key take away. If you don't know who is on the line and you do not expect a call, be vigilant and careful on actions the caller may ask you to do. If it does not make sense, drop the call. Good on this youtuber. 

My Best Revenge Scam Call Ever - Extreme Scammer Rage - 1 mo ago

I Trapped 200 Scammers in an Impossible Maze - 9 mos ago

The Angriest Scammer I've Ever Called: Steve - 3 yrs ago

Till next time

Be safe and secure. Let's be vigilant and protect our organizations and community from potential cyber security threats. I'll see you next time when my turn comes up.

As always, if this is your first TWIS, you can always read past editions.  I also encourage you to check out all of the content from the F5 SIRT.