Vercara’s Open-Source Intelligence (OSINT) Report – July 12 – July 18, 2024

DNS hijacks target crypto platforms registered with Squarespace. 

(TLP: CLEAR) A wave of coordinated DNS hijacking attacks has targeted decentralized finance (DeFi) cryptocurrency domains via the Squarespace registrar, redirecting users to phishing sites. Major DeFi platforms like Compound Finance, Celer Network, and Pendle experienced these attacks, warning users and advising immediate action to secure their funds. The attacks stemmed from domains initially registered with Google Domains and later migrated to Squarespace, during which multi-factor authentication (MFA) was disabled, potentially enabling the hijacking. Researchers believe the hijackers exploited this vulnerability and newly created accounts. Despite the attacks, the platforms confirmed their protocols were uncompromised. Users who interacted with the phishing sites should revoke smart contract approvals, change passwords, and transfer funds to new wallets. Squarespace has not yet commented on the issue, and security experts are still investigating the exact attack mechanism. 

(TLP: CLEAR) Comments: DNS hijacking, also known as DNS redirection, is where a malicious actor manipulates the DNS resolution process in order to redirect DNS queries to malicious or incorrect sites. Malicious actors could replicate the legitimate site, and once the user enters login credentials, the hacker steals those credentials and then redirects the user to the legitimate site. Once the malicious actors have the compromised credentials, they are able to login as the user and either steal sensitive data or transfer funds to an account under their control. Another risk is that the user is redirected to a malicious site that has malicious HTML code that will automatically download malware onto the victim’s system. The best prevention of DNS hijacking is to implement DNS Security Extensions (DNSSEC) on all DNS zones and records to add a layer of security that verifies DNS responses.  

(TLP: CLEAR) Recommended best practices/regulations: ICANN SAC 007: “Domain Name Hijacking: Incidents, Threats, Risks and Remediation”: “Registrars should improve registrant awareness of the threats of domain name hijacking and registrant impersonation and fraud and emphasize the need for registrants to keep registration information accurate. Registrars should also inform registrants of the availability and purpose of the Registrar-Lock, and encourage its use. Registrars should further inform registrants of the purpose of authorization mechanisms (EPP authInfo) and should develop recommended practices for registrants to protect their domains, including routine monitoring of domain name status, and timely and accurate maintenance of contact and authentication information.” 

(TLP: CLEAR) Vercara: Vercara’s UltraDNS Health Check tool makes it easy to ensure that your domains are RFC-compliant, checks for adherence to best practices, and identifies possible configuration and security issues. 

Source: https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/  

‘Trial’ DDoS attacks on French sites portend greater Olympics threats. 

(TLP: CLEAR) Russian hacktivists have launched denial-of-service (DoS) attacks on notable French websites ahead of the Paris Olympics. HackNeT and the People’s Cyber Army, linked to Sandworm, claimed responsibility for these attacks, which they described as “training.” They targeted websites of tourist attractions like the La Rochelle International Film Festival and the Grand Palais, showcasing their actions on social media. While these attacks appear to be nuisance-level disruptions, experts warn they could distract from more significant threats. Historical precedents include major data breaches and disruptive cyberattacks on previous Olympics, such as the 2016 Rio Games and the 2018 Pyeongchang Games. Preparations by the Olympic committee aim to mitigate such threats, though concerns remain about their readiness against modern, AI-based cyberattacks 

(TLP: CLEAR) Comments: The Olympics will be a significant target for malicious actors for not only DDoS attacks but also for malware or on-path/man-in-the-middle attacks where a malicious actor looks to steal sensitive information/data. Malicious actors will consider conducting DDoS attacks not only on the official Olympics’ websites but also on any site that supports or provides any services associated with the Olympics, such as retail, sports betting, travel/tourism, or spring results. Malicious actors look to do these attacks to gain notoriety as well as advance their cause.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”: Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness. 

Source: https://www.darkreading.com/cyberattacks-data-breaches/trial-ddos-attacks-on-french-sites-portend-greater-olympics-threats 

WordPress plugin flaw let attackers seize administrative control. 

(TLP: CLEAR) A critical vulnerability, CVE-2024-6695, has been discovered in the Profile Builder and Profile Builder Pro plugins, which have over 50,000 active installations. This flaw allows unauthenticated attackers to escalate privileges and gain administrative access without credentials. The vulnerability, stemming from inconsistent email handling during user registration, was identified during a routine plugin audit and has been assigned a CVSSv3.1 score of 9.8. The issue was patched in version 3.11.9, released on July 11, 2024. Administrators using these plugins should update immediately to mitigate risks, which include unauthorized actions, data theft, and site defacement. A proof of concept for the exploit is scheduled for release on August 5, 2024, emphasizing the need for prompt updates and robust security measures. 

(TLP: CLEAR) Comments: WordPress Profile Builder is an all-in-one user profile and user registration plugin.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://cybersecuritynews.com/wordpress-plugin-flaw-2/  

Over 400,000 Life360 user phone numbers leaked via unsecured API. 

(TLP: CLEAR) A threat actor known as “emo” leaked a database containing the personal information of 442,519 Life360 customers, exploiting a flaw in the login API. This unsecured endpoint allowed the attacker to verify users’ email addresses, names, and phone numbers. Life360 has since fixed the flaw, and API requests now return placeholder phone numbers. The breach occurred in March 2024, although emo claims not to be behind it. In another incident, the same threat actor leaked over 15 million email addresses from Trello accounts, also using an unsecured API. Additionally, Life360 disclosed an extortion attempt following a breach of the Tile customer support platform, resulting in the theft of sensitive information like names, addresses, email addresses, phone numbers, and device IDs. The attacker used stolen credentials from a former Tile employee to access multiple systems. Life360, which provides real-time location tracking and other services to over 66 million members, acquired Tile in December 2021. The company confirmed that the exposed data does not include credit card numbers, passwords, location data, or government-issued IDs. The extent of the Tile breach and its impact on customers remains undisclosed. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”:  

• “The mitigation planning should be done in two layers:  

• “Business – identify the business flows that might harm the business if they are excessively used.  

• “Engineering – choose the right protection mechanisms to mitigate the business risk.  

• “Some of the protection mechanisms are more simple while others are more difficult to implement. 

The following methods are used to slow down automated threats:  

• “Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them  

• “Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns)  

• “Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second)  

• “Consider blocking IP addresses of Tor exit nodes and well-known proxies  

• “Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.” 

(TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. 

Source: https://www.bleepingcomputer.com/news/security/over-400-000-life360-user-phone-numbers-leaked-via-unsecured-android-api/  

Critical Apache HTTP server vulnerabilities expose millions of websites to cyber attack. 

(TLP: CLEAR) The Apache Software Foundation has revealed numerous critical vulnerabilities in the Apache HTTP Server, affecting various versions and potentially exposing millions of websites to cyber threats. These vulnerabilities, identified by their CVE numbers, include issues such as source code disclosure, server-side request forgery (SSRF), and denial of service (DoS). Some notable vulnerabilities include: 

• CVE-2024-40725 and CVE-2024-39884: Source code disclosure vulnerabilities related to legacy content-type-based handler configurations, which could expose local source code under certain conditions. 

• CVE-2024-40898 and CVE-2024-38472: SSRF vulnerabilities on Windows that could leak NTLM hashes to malicious servers. 

• CVE-2024-36387: A DoS vulnerability via a null pointer dereference in WebSocket over HTTP/2. 

• CVE-2024-38473: An encoding issue in mod_proxy that could bypass authentication. 

• CVE-2023-38709 and CVE-2024-24795: HTTP response splitting vulnerabilities allowing malicious header injections. 

Other vulnerabilities include issues in mod_rewrite, mod_proxy, and various modules, leading to potential code execution, memory corruption, and resource exhaustion. The Apache Software Foundation has released patches and updates to mitigate these risks and advises users to upgrade to the latest versions to secure their servers. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Security Top 10 A03:2021 – Injection: “An application is vulnerable to attack when:  

• “User-supplied data is not validated, filtered, or sanitized by the application.  

• “Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.  

• “Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.  

• “Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”  

One way to validate input on the server side is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks, such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks. 

Source: https://cybersecuritynews.com/critical-apache-http-server-vulnerabilities/  

The Vercara OSINT Report is published every week. To see the current and past OSINT reports, click here.