TLDR Information Security 2024-03-27

The German national cybersecurity authority has identified approximately 17,000 Microsoft Exchange servers in Germany that are exposed online and vulnerable to critical security flaws. Around 45,000 Exchange servers in Germany have Outlook Web Access enabled, with some still using outdated versions of Exchange that have not received security updates.

This post reports on a sophisticated cyber attack campaign that affected over 170,000 users by using fake Python infrastructure. The attackers employed various tactics such as account takeovers, contributing malicious code, setting up a custom Python mirror, and publishing malicious packages to the PyPi registry. They also hijacked GitHub accounts, published malicious Python packages, and used social engineering schemes.

AWS fixed a flaw in its Managed Workflows for Apache Airflow (MWAA) service that allowed attackers to hijack MWAA sessions via an XSS attack on AWS-hosted sites. This vulnerability was possible because many AWS services utilize the same domain suffix, so browser cookie protections fail. AWS and Microsoft (which had similar issues) have registered domains associated with various vulnerable services to the Public Suffix List to prevent these attacks.

This blog post discusses the development of Yara rules for identifying and classifying malware written in .NET based on unique identifiers such as MVID and Typelib. The author mentions tools like GetNetGUIDs for extracting GUID types and clustering malware samples to identify patterns. The tools and Yara rules presented can be used to enhance existing rule sets, classify malware, and extract metadata from .NET assemblies.

This blog post discusses a multi-year campaign that targeted end-of-life small home/small office routers and IoT devices with an updated version of the TheMoon malware. The malware is associated with a proxy service called Faceless, used by cybercriminals for anonymity. The post also describes the global telemetry analysis of Faceless, its proxy server infrastructure, and the behavior of infected devices in the network.

This article presents a rundown of methods to phish users via Microsoft Teams. By default, any user can install a new Incoming Webhook - Microsoft provides no way to add authentication to webhooks. An attacker can leverage this to send phishing messages to channels that look like legitimate messages from connected applications. Teams also supports a channel email feature which enables the same capabilities via a unique email address per channel.

ThreatCL is a tool for threat modeling in HCL. It provides a DevOps-first method of documenting threat models. ThreatCL also provides utility for generating a data flow diagram from the HCL.

k8spacket is an eBPF-based tool for visualizing k8s traffic with various dashboards.

The Indicator of Canary is a collection of PoCs from research on identifying canaries in various file formats. It focuses on identifying known IoCs(Indicator of Canary) and unknown callback URLs in places they shouldn't be. This tool is intended to give operators better awareness to make more informed decisions, preferably by automating similar checks in implants and other tools.

Over 15 free VPN apps on Google Play were discovered using a malicious software development kit that turned Android devices into residential proxies, potentially for cybercrime. These residential proxies route internet traffic through homes to make it appear legitimate. Google removed apps using the LumiApps SDK from the Play Store and updated Google Play Protect to detect the libraries used in the apps.

Days after KrebsOnSecurity reported that the CEO of Onerep ran several people-search networks, Mozilla has dropped the company from its Monitor Plus product. Onerep is a service that removes users from hundreds of people-search sites. It also has other conflicts of interest such as running ads on data broker websites.

Apple users have recently been targeted in phishing attacks where scammers exploit a bug in Apple's password reset feature. The attack inundates target devices with system prompts that must be approved or declined repeatedly. The scammers then call the victims posing as Apple support to obtain one-time codes for account resets.

AWS has expanded ALB’s TLS termination abilities to support mTLS with an ACM or user-provided CA.

Orange Cyberdefense team has a collection of ransomware ecosystem tools along with interconnections for a significant number of ransomware since 2015.

Cybersecurity investor Aman Sidhant covers the Cyber Defense Matrix, a framework that can be used to cover most cybersecurity events.