Saturday 3rd August 2024

Saturday 3rd August 2024

Good morning everyone, happy Saturday, thank you for joining me for the latest installment of Cyber Daily. Today, we're looking in to the latest global stories from the exploitation of Cloudflare's free service for malware distribution to the UK’s NCA shutting down a prolific call-spoofing operation, and the newly discovered DNS vulnerability that's putting over a million domains at risk.

Cybercriminals Exploit TryCloudflare for Malware Delivery


Cybersecurity firms are raising alarms over a surge in the misuse of Cloudflare's 'TryCloudflare' free service to deliver malware. eSentire and Proofpoint have documented cyber attackers using TryCloudflare to set up one-time tunnels, relaying traffic from attacker-controlled servers to local machines through Cloudflare's infrastructure. This method has been observed delivering a variety of malware, including AsyncRAT, GuLoader, and Venom RAT.

The attack typically starts with a phishing email containing a ZIP file. This file includes a URL shortcut that directs the recipient to a Windows shortcut hosted on a TryCloudflare-proxied WebDAV server. The shortcut then executes batch scripts that download and run additional malicious payloads, displaying a decoy PDF to maintain the ruse.

Proofpoint notes that phishing emails are written in multiple languages and cover diverse themes like invoices and tax documents, targeting organisations worldwide. This campaign, financially motivated, leverages Cloudflare tunnels to create temporary, scalable infrastructure, making it harder for defenders to track and block.

The ongoing exploitation of TryCloudflare has prompted calls for Cloudflare to enhance its anti-abuse policies to prevent cybercriminals from using its services to mask malicious activities.


UK's NCA Shuts Down Russian Coms, Arrests Fraud Ring Members


The UK's National Crime Agency (NCA) has dismantled Russian Coms, a notorious call-spoofing service that defrauded hundreds of thousands of victims globally. This operation has led to the arrest of at least four suspects, all British nationals, believed to be key players in the fraudulent scheme that spanned over 100 countries.

In March, the NCA arrested two men in London suspected of developing and administering the platform. A third man, accused of being an affiliate and courier, was arrested in April. This week, an alleged scammer using the service was apprehended in Potters Bar, England.

Russian Coms, active since 2021, enabled criminals to spoof caller IDs of banks and other institutions, deceiving victims into transferring money and divulging personal information. Users of the service paid up to £1,400 ($1,800) for a six-month contract, receiving a specially configured smartphone or web app to carry out their scams.

The service facilitated over 1.3 million calls to 500,000 UK phone numbers, with average losses per victim exceeding £9,400 ($12,000). The NCA is now focusing on tracking down additional users worldwide in a concerted law enforcement effort.

Sitting Ducks Attack Exposes Over a Million Domains to Hijacking


Researchers from Eclypsium and Infoblox have discovered a critical vulnerability in the DNS system, dubbed the Sitting Ducks attack, that jeopardises over a million domains daily. This technique, exploited by more than a dozen Russian-linked cybercriminal groups, allows attackers to hijack domains without accessing the domain owner’s accounts, facilitating activities like malware distribution, phishing, and data theft.

The Sitting Ducks attack involves taking control of a registered domain at an authoritative DNS service or web hosting provider. Despite being detailed as early as 2016 by researcher Matt Bryant, it remains largely unknown and unaddressed. The attack exploits incorrect configurations at domain registrars and DNS providers, which are preventable issues.

Key aspects of the attack include:

  • Lame delegations where authoritative DNS servers lack information to resolve queries.
  • Exploitable authoritative DNS providers that attackers can claim without needing domain registrar account access.
  • Variants that do not require attackers to register their own domains.

Researchers urge domain holders to:

  • Ensure their authoritative DNS provider is the same as their domain registrar.
  • Verify that domains and subdomains do not delegate to invalid service providers.
  • Check with DNS providers about specific mitigations against this attack.

For DNS service providers, recommendations include:

  • Issuing random name server hosts that require registrar changes for domain claims.
  • Ensuring new name server hosts do not match previous assignments.
  • Prohibiting modifications to name server hosts after assignment.

Collaboration between domain holders, registrars, DNS providers, and the cybersecurity community is crucial to mitigating this widespread and stealthy threat.



Kc Chohan

Specialist in Cutting Taxes by 30-46% per year for Those Paying $500K+ Annually

7 个月

Powerful insights into cybercrime tactics. Time to defend proactively? Aidan Dickenson

Marcel Velica

Senior Security Program Manager | Leading Cybersecurity Initiatives | Driving Strategic Security Solutions | Cybersecurity Excellence | Cloud Security

7 个月

Exciting update! The latest edition of Cyber Daily is packed with valuable insights. Aidan Dickenson

要查看或添加评论,请登录

Aidan Dickenson的更多文章

  • Saturday 22nd March 2025

    Saturday 22nd March 2025

    Good morning. If you’ve ever dreamed of going back to a paper-only workday, just ask the Virginia Attorney General’s…

    1 条评论
  • Friday 21st March 2025

    Friday 21st March 2025

    Morning everyone and a happy Friday to you all! Today we're looking at hackers who are now deploying Betruger, a…

  • Thursday 20th February 2025

    Thursday 20th February 2025

    Good morning. If you thought your VPN was keeping you safe, your gaming accounts were secure, and WhatsApp was just for…

  • Wednesday 19th March 2025

    Wednesday 19th March 2025

    Good morning everyone and a very happy Wednesday to you all. Hackers are getting creative—and potentially desperate.

  • Friday 14th March 2025

    Friday 14th March 2025

    Good morning, happy Friday! If your cybersecurity team is looking extra stressed today, blame AI and ransomware gangs…

  • Thursday 13th March 2025

    Thursday 13th March 2025

    Good morning thank you for joining me for the latest instalment of Cyber Daily. If you thought your biggest tech…

  • Wednesday 12th March 2025

    Wednesday 12th March 2025

    Good morning everyone, happy Hump Day! Today we're focusing on a new botnet called Ballista that is running wild on…

  • Tuesday 11th March 2025

    Tuesday 11th March 2025

    Good morning! If you’ve ever wished you could report cybersecurity incidents as easily as you report bad drivers on the…

    2 条评论
  • Monday 10th March 2025

    Monday 10th March 2025

    Good morning everyone and a very happy Monday to you all. Today's edition is looking in to: ESP32 chips used in…

  • Sunday 9th March 2025

    Sunday 9th March 2025

    Good morning. If your internet has been acting up, it might not just be your router—a massive IoT botnet is wreaking…

社区洞察

其他会员也浏览了