Search This Blog

Showing posts with label Email Attacks. Show all posts

14 Account's Email System Targeted the Green Party of Germany

 

The foreign minister Annalena Baerbock and the economy minister Robert Habeck's email accounts were both compromised last month, according to the German Green party, which is a member of the coalition government of the nation. 

The party acknowledged a revelation published on Saturday by the German magazine Der Spiegel, but claimed that the two had stopped using official party accounts since January.

According to a report on a German magazine Der Spiegel on Thursday, the Green Party said that a total of 14 accounts, including the party's co-leaders' Omid Nouripour and Ricarda Lang, were also hacked and that certain messages were sent to other servers. The article further read that the attack also had an impact on the party's "Grüne Netz" intranet IT system, where private information is exchanged.

The party declined to acknowledge Der Spiegel's claim that an electronic trace suggested the cyberattack may have originated in Russia because of the current investigation by German authorities.

"More than these email accounts are affected," the party official claimed. The topic concerns emails using the domain "@gruene.de." The representative stated that it was yet unknown who had hacked in. The first indication of the attack came on May 30 and since June 13, when specialists determined that there had been a breach, access to the system has been restricted. 

Authorities blamed the unauthorized access on Russian state-sponsored hackers. Baerbock has consistently taken a harsh approach in response to Russia's abuse of human rights and aggression against Ukraine. Since taking office in December, Habeck has been in charge of Germany's initiatives to wean itself off of Russian energy sources.

Network logs, according to the Greens, did not reflect any signs of the increased traffic levels that would indicate the theft of a significant amount of data.

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

Threat Actors Abuse Calendly App to Steal Account Credentials

 

Cyber criminals have unearthed a new vector of assault to utilize during phishing campaigns. Calendly, a free scheduling app, permits malicious actors to use email to lure the victim to a meeting with the title and link they choose. This increases the authenticity of the phishing email as it seems to come from a legitimate firm. 

Earlier this year in February, security analysts at INKY, an email monitoring firm, discovered specific instances where the phishing actors titled the meeting "You have received a new fax document" with an embedded link to "preview" the document. The link instead brought victims to a webpage that looked like a Microsoft site but actually was set up to steal Microsoft account credentials. 

The webpage also contained a common methodology employed by attacker in newer phishing campaigns to ensure credentials are free of typos, in which the victim is lured to enter their credentials twice, due to the credentials being "invalid.” 

The victim is then sent to the domain of their email address to minimize the likelihood of realizing the compromise and reporting it as phishing. According to INKY, majority of the methodologies employed in this campaign are standard, the use of Calendly has not been previously spotted. 

“The app is committed to protecting users against phishing attacks with built-in security tools such as a next-gen web application firewall, anomalous traffic pattern alerts as well as fraudulent IP tracking capabilities,” the Calendly spokesperson stated. 

“In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

Calendly has also detailed a couple of steps that should help users improve their security. The company advises reviewing the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent by Microsoft but came from a non-Microsoft domain. Another red flag would be prompting a user for credentials to copy and send back to their command-and-control (C2) infrastructure. 

To protect against credential harvesting, another option is to use a password manager. The use of password manager is a simple method to avoid entering credentials into malicious phishing websites, due to the phishing domain not being the same as the impersonated websites. A password manager will not autofill the password, and will alert the users that the website they're on is not authentic.

ICO Struck by 2650% Rise in Email Attacks in 2021

 

The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.