AI-generated phishing emails are getting very good at targeting executives
(TLP: CLEAR) Corporate executives are facing a surge in hyper-personalized phishing scams generated by artificial intelligence (AI), as advancements in technology make sophisticated cybercrime more accessible. Companies such as British insurer Beazley and eBay warn that these scams often include personal details obtained through AI-driven analysis of online profiles. AI tools can scrape vast amounts of information about an individual or organization, mimicking their tone and style to craft convincing phishing emails. These attacks are particularly effective at bypassing traditional email filters and security training, as AI can rapidly generate unique and highly targeted messages. Experts note that the accessibility of generative AI has lowered the entry barriers for advanced cybercrime, with polished scams now being created at scale. This trend coincides with a broader increase in cyberattacks, with over 90% of successful breaches beginning with phishing. Such scams, especially business email compromise (BEC) attacks, have inflicted global losses exceeding $50 billion since 2013, with the average cost of a data breach rising to $4.9 million in 2024. As AI continues to evolve, its ability to exploit vulnerabilities in both human and technical systems presents growing challenges for cybersecurity defenses.
(TLP: CLEAR) Comments: Cybersecurity professionals are grappling with a new wave of sophisticated phishing attacks powered by artificial intelligence (AI). AI algorithms can now analyze vast amounts of personal data to create hyper-personalized phishing emails that mimic the writing style and tone of known contacts. These AI-driven attacks are highly effective at bypassing traditional security measures, as they are unique and highly targeted. The accessibility of generative AI has lowered the barrier to entry for cybercriminals, enabling them to launch large-scale phishing campaigns with ease. This trend poses a significant threat to organizations worldwide, as phishing remains a primary vector for successful cyberattacks, leading to substantial financial losses and reputational damage.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.
New DoubleClickjacking attack exploits double-clicks to hijack accounts
(TLP: CLEAR) A new variation of clickjacking attacks, known as “DoubleClickjacking,” has emerged, allowing attackers to bypass existing protections and trick users into authorizing sensitive actions via double-clicks. Traditional clickjacking involves overlaying a hidden iframe of a legitimate webpage onto an attacker-created page to mislead users into clicking hidden elements. DoubleClickjacking, introduced by cybersecurity expert Paulos Yibelo, takes this further by exploiting mouse double-click timing. In this attack, a user is lured into clicking a button on a malicious page, triggering a new overlay with an additional prompt, such as solving a captcha. While the user interacts with the overlay, the underlying page is replaced with a legitimate site. The second click, intended for the captcha, lands on sensitive elements of the legitimate site, such as authorization buttons or links. This method can lead to unauthorized actions like approving OAuth applications, installing browser plugins, or accepting multi-factor authentication prompts. DoubleClickjacking is particularly dangerous because it bypasses traditional defenses like iframe restrictions and cookie protections. Demonstrations have shown successful exploitation of platforms like Shopify, Slack, and Salesforce, and the technique can also target browser extensions and mobile devices through similar “DoubleTap” methods. To mitigate this threat, Yibelo recommends implementing JavaScript that disables sensitive buttons until specific gestures are completed. Additionally, introducing HTTP headers to limit rapid context-switching during double-click sequences could provide further protection.
(TLP: CLEAR) Comments: DoubleClickjacking is a malicious web attack that combines the deceptive tactics of clickjacking with the exploitation of double-clicks. Attackers stealthily overlay invisible or disguised elements, like malicious buttons or links, on top of legitimate website content. When a user double-clicks the intended area, the first click interacts normally, but the second click unknowingly triggers the hidden malicious layer. This exploits the user’s natural expectation of double-click functionality, allowing attackers to execute harmful actions without the user’s awareness. These actions can include unauthorized transactions, granting excessive permissions to malicious websites, or even redirecting the user to dangerous sites. The danger lies in its ability to bypass traditional clickjacking defenses that primarily focus on single-click interactions, making it a significant threat to user security.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
EAGERBEE malware expands arsenal with advanced payloads & command shells
(TLP: CLEAR) The EAGERBEE malware, a sophisticated backdoor linked to cyberespionage campaigns in the Middle East and Southeast Asia, has undergone significant updates, making it a more potent threat to governmental entities and ISPs. Recent updates include enhanced payload deployment and command shell functionalities, alongside new components such as a service injector that embeds the malware into legitimate Windows services like the Themes service to evade detection and ensure persistence. The malware uses plugins for various tasks, including file system manipulation, remote access management, process exploration, network reconnaissance, and service control, enabling advanced espionage and data exfiltration. A key feature is its ability to execute remote command shells, allowing attackers to perform reconnaissance, deploy payloads, and modify system configurations. Infection is facilitated through a backdoor injector (tsvipsrv.dll) and payload file (ntusers0.dat), executed via the SessionEnv service, with EAGERBEE gathering detailed system information and operating based on predefined schedules to avoid detection. Communication with its command-and-control servers is established using both IPv4 and IPv6, often with SSL encryption, while the malware retrieves proxy settings from the victim’s registry to ensure connectivity. Notably, EAGERBEE’s Plugin Orchestrator (ssss.dll) acts as a central hub, managing plugins and reporting back to the attackers. Analysis links EAGERBEE to the CoughingDown group and potentially to Chinese state-sponsored actors like APT27 (LuckyMouse). Its recent evolution underscores the persistent innovation of advanced threat actors, with EAGERBEE’s ability to dynamically deploy payloads, evade detection, and execute advanced post-exploitation activities posing significant challenges for defenders. Experts recommend strengthening defenses through robust endpoint protection, monitoring for unusual service activity, timely patching, and proactive threat hunting to mitigate this growing threat.
(TLP: CLEAR) Comments: EAGERBEE is a sophisticated malware framework known for its in-memory operations, making it difficult to detect. This “technically straightforward backdoor” employs features like encrypted communication channels for persistent access and control over compromised systems. Notably, Chinese state-aligned threat actors, including the notorious APT27 group (also known as Emissary Panda), have leveraged EAGERBEE in their cyber espionage campaigns. APT27 is a highly active group known for targeting various sectors, including government, defense, and technology, to steal intellectual property and sensitive data. Their operations often involve phishing emails and exploiting vulnerabilities to gain initial access to target systems.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website category feeds.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.
Source: https://cybersecuritynews.com/eagerbee-malware-expands-arsenal/
DDoS disrupts Japanese mobile giant Docomo
(TLP: CLEAR) Japan’s largest mobile operator, NTT Docomo, experienced a 12-hour service disruption on January 2 due to a DDoS attack that caused network congestion. The incident, which affected services like the “goo” web portal, Lemino video streaming, dpay billing, and “Golf me” golf-round service, was resolved, though some content updates were delayed. While mobile phone services remained unaffected, the attack highlights the vulnerability of telecommunications providers to DDoS and ransomware attacks due to their low tolerance for outages. This incident follows a series of DDoS attacks on Japanese companies in late December and an earlier ransom demand targeting NTT Docomo in 2023. Reports indicate a significant rise in DDoS attacks globally, with a 102% increase in the first half of 2024 compared to 2023, and a sharp surge in attacks on telecom networks. The perpetrators of this latest attack remain unidentified.
(TLP: CLEAR) Comments: The recent 12-hour service disruption experienced by NTT Docomo, Japan’s largest mobile operator, underscores the growing vulnerability of telecommunications providers to cyberattacks. This DDoS attack, which impacted various services, including online portals and streaming platforms, highlights the criticality of these networks and their low tolerance for outages. The incident follows a concerning trend of increasing DDoS attacks globally, with a sharp surge targeting telecom networks. This attack, coupled with the earlier ransom demand targeting NTT Docomo, emphasizes the evolving nature of cyber threats, where DDoS attacks are increasingly used as a precursor to more disruptive attacks like ransomware. The perpetrators of this latest attack remain unidentified, highlighting the ongoing challenge of attributing and mitigating these sophisticated cyber threats.
(TLP: CLEAR) Recommended best practices/regulations: Request for Comments (RFC) 2827/Best Common Practice (BC) 38: “Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community as a whole to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.”
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://www.infosecurity-magazine.com/news/ddos-disrupts-japanese-mobile/
Green Bay Packers’ online store hacked to steal credit cards
(TLP: CLEAR) The Green Bay Packers have disclosed a data breach on their official online retail store, packersproshop.com, caused by a card skimmer script injected by a threat actor. The breach, active between late September and October 23, 2024, exposed customers’ personal and payment information, including names, addresses, email addresses, and credit card details. Payments made using gift cards, PayPal, Amazon Pay, or Pro Shop accounts were unaffected. The Packers disabled checkout capabilities upon discovering the breach on October 23 and launched an investigation with external cybersecurity experts. The malicious script exploited JSONP callbacks and YouTube’s oEmbed feature to bypass Content Security Policy (CSP) protections, exfiltrating data to a third-party domain. While the number of affected customers is undisclosed, the team is offering three years of free credit monitoring and identity theft protection through Experian. Customers are advised to monitor financial accounts for fraud and report suspicious activity to banks and authorities. This incident follows a similar 2022 ransomware attack on the San Francisco 49ers, highlighting persistent threats to sports organizations’ digital operations.
(TLP: CLEAR) Comments: Data from a data breach can serve as a powerful tool for attackers to launch follow-on attacks like credential stuffing and fraud. When personal information, including usernames, passwords, and email addresses, is leaked, cybercriminals can use these details to attempt access to other accounts where users may have reused their credentials. This practice, known as credential stuffing, takes advantage of weak or repeated passwords across multiple platforms. Additionally, breached data can be exploited to commit fraud, such as identity theft, where attackers use stolen personal information to make unauthorized transactions, open new accounts, or deceive victims through phishing scams.
(TLP: CLEAR) Recommended best practices/regulations: WASP Web Security Top 10 A03:2021 – Injection: An application is vulnerable to attack when:
- User-supplied data is not validated, filtered, or sanitized by the application.
- Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
- Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
- Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”
- One way to validate input on the server side is through a Web Application Firewall.
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements.
New Mirai botnet targets industrial routers with zero-day exploits
(TLP: CLEAR) The Gayfemboy botnet, a highly sophisticated and resilient offshoot of the Mirai botnet, has emerged as a significant threat in 2024, leveraging 0-day vulnerabilities to exploit industrial routers and smart home devices. First identified by XLab in February, it has evolved into a large-scale operation with over 15,000 active infected nodes daily, targeting devices across regions such as China, the United States, Iran, and Turkey. Its infection strategy includes over 20 known vulnerabilities, including the Four-Faith industrial router 0-day (CVE-2024-12856), alongside undisclosed exploits in Neterbit routers and Vimar smart home devices. The botnet organizes infected devices for efficient management and has demonstrated advanced capabilities, including stealth mechanisms, encrypted commands, and DDoS attacks generating traffic up to 100 GB. Its attack frequency peaked in late 2024, with significant activity in October and November. Researchers monitoring the botnet faced retaliatory DDoS attacks, forcing them to halt operations. To mitigate threats, organizations are urged to implement robust cybersecurity measures such as patch management, network segmentation, and anti-DDoS solutions. Gayfemboy exemplifies the escalating sophistication of modern botnets and the persistent innovation of threat actors.
(TLP: CLEAR) Comments: The “Gayfemboy” botnet, first identified in February 2024, poses a significant threat to the internet. This Mirai-based botnet leverages a variety of vulnerabilities, including zero-day exploits, to compromise a wide range of internet-connected devices, from industrial routers to smart home appliances. The botnet primarily utilizes UDP for its DDoS attacks, exploiting its speed and lack of overhead to generate massive traffic, with some reports exceeding 100 Gbps. This level of attack traffic has the potential to disrupt critical infrastructure and bring online services to a standstill, highlighting the urgent need for enhanced security measures to protect the growing ecosystem of connected devices.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API triggering. The result is an incredibly fast response against DDoS trouble when you need it most.
Source: https://cybersecuritynews.com/mirai-botnet-exploiting-routers-0-day-vulnerabilities/