Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
CyberVolk analysis explores ransomware, hacktivism interconnections.
(TLP: CLEAR) Recent reporting sheds light on CyberVolk, also identified GLORIAMIST, a politically motivated hacktivist group which surfaced in 2024 that despite its reported origins in India, has displayed a clear alignment to Russian geopolitical interests. According to reporting, CyberVolk employs a blend of ransomware and distributed-denial-of-service (DDoS) attacks in order to disrupt, extort, and intimidate potential targets opposed to Russian interests. CyberVolk employs social engineering and phishing campaigns and as primary attack vectors for initial access. Their approach leverages meticulously crafted narratives designed to deceive individuals into unknowingly granting access to critical systems or divulging sensitive credentials. These targeted techniques highlight the group’s proficiency in manipulating trust to bypass traditional security measures. Between June and October 2024, CyberVolk claimed responsibility for multiple high-profile ransomware attacks, primarily focusing on public sector entities and government infrastructure. Additionally, CyberVolk’s activities have displayed operational overlap and collaboration with other pro-Russian entities, such as NONAME057(16) while simultaneously collaborating with ransomware families like HexaLocker, Parano, and Doubleface. These associations reinforce their position within a broader ecosystem of hacktivist groups united by a shared ideology or political beliefs.
(TLP: CLEAR) Comments: CyberVolk represents a convergence of hacktivism, cybercrime, and state-aligned objectives. Their evolving toolkit and association with broader pro-Russian hacktivist networks suggest a calculated approach to maintaining operational relevance while leveraging asymmetric capabilities. The group’s dual focus on disruption (DDoS) and monetization (ransomware) mirrors an emerging trend in modern hacktivism, where ideological motives intersect with financial incentives.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05:
“Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://www.scworld.com/news/cybervolk-analysis-explores-ransomware-hacktivism-interconnections
Russia’s ‘BlueAlpha’ APT hides in Cloudflare tunnels.
(TLP: CLEAR) Recent intelligence reporting has highlighted the latest cyber operations conducted by BlueAlpha, a sophisticated Russian state-sponsored advanced persistent threat (APT) group. According to reporting, the group has enhanced its malware delivery operations by weaponizing Cloudflare Tunnels to distribute its custom GammaDrop malware. Cloudflare Tunnels are designed to provide secure connectivity by routing traffic through Cloudflare’s network without exposing resources via publicly routable IP addresses. By leveraging the free tunnelling capabilities of TryCloudflare, the group generates subdomains under trycloudflare.com, which effectively masks BlueAlpha’s command-and-control (C2) servers, making them invisible to traditional network detection and monitoring tools. The use of such a widely trusted service complicates detection and mitigation efforts, as network defenders are then required to differentiate between legitimate Cloudflare traffic and malicious activity masquerading within it. This strategic abuse of legitimate technology reflects the group’s evolving tactics to evade detection and bolster operational stealth.
(TLP: CLEAR) Comments: Since its emergence back in 2014, BlueAlpha has since refined its operational capabilities by leveraging the free tunnelling capabilities of TryCloudflare and routing all their attack traffic through Cloudflare’s infrastructure. Additionally, reporting indicates the group has intensified its malicious activities in recent months, focusing on Ukrainian organizations through targeted spear-phishing campaigns. BlueAlpha exemplifies the growing trend among cyber threat actors to utilize legitimate cloud-based tools, such as Cloudflare Tunnels, to circumvent detection mechanisms in order to launch cyber-attacks.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01:
“Networks and network services are monitored to find potentially adverse events”: One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them
Telecommunication firms struggle to boot Chinese hackers from networks.
(TLP: CLEAR) The following reporting highlights the Chinese advanced persistent threat (APT) group Salt Typhoon and its ongoing cyber operations that have successfully infiltrated the networks of eight major U.S. telecommunications companies. Intelligence indicates that this malicious campaign, which began in late spring 2024, is part of a coordinated effort by Chinese state-sponsored actors to disrupt and gain control over critical telecommunications infrastructure. Salt Typhoon employs a multifaceted approach to compromising telecommunications networks, leveraging vulnerabilities in network devices, deploying sophisticated malware, and launching targeted spear phishing campaigns against employees of telecom firms. Furthermore, U.S. officials are now confirming that the Chinese backed APT still maintains access to critical infrastructure within the U.S., posing significant challenges in efforts to evict them from systems. Despite investigations beginning in late spring, officials admit they have yet to fully uncover the scope of these intrusions. Analysts assess that this intrusion aligns with China’s strategic objectives, which encompass eroding trust in U.S. communication systems, securing access to sensitive governmental and political intelligence, and establishing a foothold for leverage in potential future conflicts. In response to these developments, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued guidance for the communications sector to bolster defences against Salt Typhoon and similar cyber-security threats.
(TLP: CLEAR) Comments: Salt Typhoon’s operations underscore the escalating threat posed by advanced state-sponsored APTs. Their capacity to maintain prolonged, undetected access to systems, coupled with the deliberate selection of high-value, strategic targets, reflects a level of precision and resource investment indicative of state-sponsored backing. Mitigating the threat posed by Salt Typhoon and other sophisticated cyber-espionage campaigns demands a comprehensive, multi-layered cybersecurity strategy. Telecommunications providers must prioritize the deployment of advanced intrusion detection and prevention systems, coupled with routine security audits to identify and remediate vulnerabilities.
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE
PROTECTION:
“Control:
- “a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
- “b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
- “c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system
[Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organizationdefined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and “d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”
NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses
Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://www.axios.com/2024/12/03/salt-typhoon-china-phone-hacks
Source: https://therecord.media/salt-typhoon-csrb-review
Phishing-as-a-Service “Rockstar 2FA” targets Microsoft 365 users with AiTM Attacks.
(TLP: CLEAR) A highly sophisticated malicious email campaign and phishing-as-a-service (PhaaS) toolkit has recently been identified designed to compromise Microsoft 365 account credentials. Dubbed “Rockstar 2FA”, the malicious toolkit launches adversary-in-the-middle (AitM) attacks, enabling threat actors to capture user credentials and session cookies, effectively bypassing multi-factor authentication (MFA). According to security analysts, Rockstar 2FA is an evolution of the DadSec phishing toolkit, also tracked by Microsoft as Storm-1575. The toolkit is readily available on platforms such as ICQ, Telegram, and Mail[.]ru, offering accessibility that allows even low-skilled cybercriminals to execute large-scale phishing campaigns with minimal technical expertise. The Rockstar 2FA toolkit in question is equipped with advanced capabilities such as MFA bypass, antibot protection, 2FA cookie harvesting, and provides customizable login page themes designed to impersonate various popular services. It also boasts fully undetectable (FUD) phishing links to evade detection. Additional reporting indicates threat campaigns leveraging the Rockstar 2FA toolkit exploit popular platforms such as Microsoft OneDrive, Atlassian Confluence, Dynamics 365 Customer Voice, and Google Docs Viewer. When a victim engages with the malicious phishing page, their credentials and session cookies are instantly captured and transmitted to an adversary-in-the-middle (AitM) server, granting attackers unauthorized access. This tactic highlights the advancing sophistication of phishing campaigns, showcasing how even accounts secured with multi-factor authentication (MFA) can be potentially compromised.
(TLP: CLEAR) Comments: The growing sophistication of phishing-as-a-service platforms like Rockstar 2FA, coupled with the exploitation of trusted platforms and advanced evasion techniques, highlights the critical need for comprehensive anti-phishing measures. This includes robust monitoring systems, regular employee training to recognize social engineering tactics, and strict verification protocols. Users should pay close attention to email sender details and display names, as discrepancies in domain names can signal a phishing attempt.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency
#StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide defence-in-depth against malware and phishing and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
Source: https://thehackernews.com/2024/11/phishing-as-service-rockstar-2fa.html
Gafgyt malware broadens its scope in recent attacks.
(TLP: CLEAR) Recent reporting highlights a significant evolution in the tactics of the Gafgyt malware, traditionally associated with targeting vulnerable internet-of-things (IoT) devices. Threat actors are now exploiting misconfigured Docker Remote API servers, broadening their attack surface and operational capabilities. This new approach leverages Docker’s containerization infrastructure, enabling attackers to achieve greater stealth, efficiency, and control over compromised environments. The attack begins with threat actors identifying publicly exposed Docker Remote API servers that lack proper security configurations. Once access is obtained, they create a container using a legitimate lightweight Linux distribution, such as the “alpine” image. Inside the container, attackers download and execute the Gafgyt botnet binary, referred to as “rbot.” This malware is configured with hardcoded command-and-control (C&C) server details, enabling the infected system to establish communication with the attacker’s infrastructure. By using Docker containers as a delivery mechanism, attackers can bypass traditional detection methods and enhance the malware’s persistence and scalability.
(TLP: CLEAR) Comments: The deployment of Gafgyt via Docker containers signifies a strategic evolution in malware propagation techniques. By leveraging containerization platforms, attackers can achieve greater stealth and efficiency, complicating detection and remediation efforts. The ability to mount the host’s filesystem within the container environment poses significant security risks, including unauthorized data access and system control.
(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”:
The mitigation planning should be done in two layers:
- Business – identify the business flows that might harm the business if they are excessively used.
- Engineering – choose the right protection mechanisms to mitigate the business risk.
- Some of the protection mechanisms are more simple while others are more difficult to implement. The following methods are used to slow down automated threats:
- Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them
- Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns)
- Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second)
- Consider blocking IP addresses of Tor exit nodes and well-known proxies
- Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.”
(TLP: CLEAR) Vercara: Vercara’s API solution, Vercara UltraAPI, offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please contact us.