Large-Scale Phishing Campaign Can Hijack Accounts Even When They're Protected by MFA
Hackers tried to trick Christine Lagarde, New Spectre-based speculative-execution attack discovered, Windows Autopatch available now, Microsoft issues 86 security fixes, much more
The annual defense spending bill, which has become a primary legislative vehicle for cybersecurity provisions, is headed into the home stretch. Check out my latest CSO column that looks at some critical cybersecurity amendments that could be in this year’s legislation.
Microsoft revealed an ongoing large-scale phishing campaign that can hijack user accounts when they're protected with multifactor authentication measures designed to prevent such takeovers.
The threat actors behind the operation, who have targeted 10,000 organizations since September, have used their covert access to victim email accounts to trick employees into sending the hackers money. "From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com)," members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post.
"In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account." (Dan Goodin / Ars Technica)
A European Central Bank (ECB) spokesperson confirmed that unidentified hackers attempted to trick ECB President Christine Lagarde into letting them open a messaging app account in her name by posing as former German chancellor Angela Merkel.
The plot was quickly foiled without any information being compromised. (Francesco Canepa and Andreas Rinke / Reuters)
ETH Zurich computer scientists Johannes Wikner and Kaveh Razavi discovered another Spectre-based speculative-execution attack that exposes secrets within kernel memory despite defenses already in place that they call Retbleed.
Retbleed is an addition to the family of speculative-execution flaws known as Spectre-BTI (variant 2) that can be exploited by branch target injection. Rogue software on a machine can exploit Retbleed to obtain from memory it shouldn't have access to such as operating system kernel data, passwords, keys, and other secrets. The defenses against Spectre-BTI include kernel page-table isolation (KPTI), retpoline, user pointer sanitization, and disabling unprivileged eBPF.
But, the fixes may hinder performance significantly. "Retbleed's patch overhead is going to between 13 percent and 39 percent," said Wikner and Razavi. "Mitigating Phantom JMPs has 106 percent overhead (ie, 2 times slower)." (Jeff Burt / The Register)
Microsoft says that Windows Autopatch, an enterprise service that automatically keeps Windows and Microsoft 365 software up to date that was first announced in April, is generally available now.
This new service automatically manages the deployment of Windows 10 and Windows 11 quality and feature updates, as well as driver, firmware, and Microsoft 365 Apps for enterprise updates. Microsoft provides steps admins must go through to enroll devices in Windows Autopatch. (Sergiu Gatlan / Bleeping Computer)
Microsoft released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. In addition, July’s patch batch contains fixes for four different elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226.
The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Separately, Adobe issued patches to address at least 27 vulnerabilities across multiple products, including Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator. (Brian Krebs / Krebs on Security)
Researchers at Trend Micro say that a new ransomware family called HavanaCrypt is being delivered as a bogus Google Software Update, using Microsoft functionality as part of its attack.
Several features make the malware difficult to detect when it is executed on virtual machines. First, the malware uses Obfuscar, an open-source obfuscator in .NET designed to secure codes in a .NET assembly. Once it executes, the ransomware hides its window by using the ShowWindow function in the system, giving it a parameter of 0. (Jeff Burt / The Register)
CISA has added an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) to its list of bugs abused in the wild.
The high-severity flaw tracked as CVE-2022-22047 impacts both server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. Microsoft has patched it as part of the July 2022 Patch Tuesday, and it classified it as a zero-day as it was abused in attacks before a fix was available. (Sergiu Gatlan / Bleeping Computer)
According to agency records obtained by Motherboard, the FBI lost over 200 desktop computers, multiple pieces of body armor, and night-vision scopes over six months last year.
The lost computers potentially present a cybersecurity risk if the machines and their contents are not properly secured. The FBI said that it “takes the management of its accountable assets and property with the utmost seriousness. Each year, the FBI conducts an inventory of either a portion or all accountable assets, and the FBI successfully inventories over 99% of these assets each year.” (Joseph Cox / Motherboard)
New Jersey IT giant SHI fully restored its systems following a wide-ranging incident that they referred to as a “coordinated and professional malware attack.”
SHI said that as of 8 a.m. on Monday, the “vast majority of SHI’s internal and external-facing systems are fully operational.” SHI has repeatedly denied that no customer information was accessed. (Jonathan Greig / The Record)
The German government on Tuesday announced plans to shore up cyber defenses in light of possible new threats from Russia through measures that promote cyber resilience among small- and medium-sized enterprises.
These measures would apply to "critical infrastructure," businesses involved in transport, food, health, energy, and water supply. Also included is a secure central video conferencing system for the federal government and a centralized platform for the exchange of information on cyberattacks between state and federal structures, based at the Federal Office for Information Security (BSI). Moreover, the IT infrastructure of Germany's domestic intelligence agency and police will be modernized. (DW)
A hacker or hackers sent scam texts to 10,000 students at Deakin University in Australia after accessing the contact details, including mobile numbers and email addresses, of 46,980 past and present Deakin students.
Anyone who clicked on the link in the scam text message was taken to a form asking for details, including credit card information. (Tara Cosoleto / The New Daily)
A dozen chief election administrators in states across the country say they’re confronting a wave of threats and security challenges from a troubling source: inside the election system itself.
They detailed a growing number of “insider threats” leading to attempted or successful election security breaches aided by local officials, the most prominent of which was in Colorado, where a county clerk was indicted for her role in facilitating unauthorized access to voting machines. But there have been similar instances elsewhere, including in Pennsylvania, Michigan, and Ohio. (Zack Montellaro / Politico)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.