Saturday 3rd August 2024

Good morning everyone, happy Saturday, thank you for joining me for the latest installment of Cyber Daily. Today, we're looking in to the latest global stories from the exploitation of Cloudflare's free service for malware distribution to the UK’s NCA shutting down a prolific call-spoofing operation, and the newly discovered DNS vulnerability that's putting over a million domains at risk.

Cybercriminals Exploit TryCloudflare for Malware Delivery

Cybersecurity firms are raising alarms over a surge in the misuse of Cloudflare's 'TryCloudflare' free service to deliver malware. eSentire and Proofpoint have documented cyber attackers using TryCloudflare to set up one-time tunnels, relaying traffic from attacker-controlled servers to local machines through Cloudflare's infrastructure. This method has been observed delivering a variety of malware, including AsyncRAT, GuLoader, and Venom RAT.

The attack typically starts with a phishing email containing a ZIP file. This file includes a URL shortcut that directs the recipient to a Windows shortcut hosted on a TryCloudflare-proxied WebDAV server. The shortcut then executes batch scripts that download and run additional malicious payloads, displaying a decoy PDF to maintain the ruse.

Proofpoint notes that phishing emails are written in multiple languages and cover diverse themes like invoices and tax documents, targeting organisations worldwide. This campaign, financially motivated, leverages Cloudflare tunnels to create temporary, scalable infrastructure, making it harder for defenders to track and block.

The ongoing exploitation of TryCloudflare has prompted calls for Cloudflare to enhance its anti-abuse policies to prevent cybercriminals from using its services to mask malicious activities.

UK's NCA Shuts Down Russian Coms, Arrests Fraud Ring Members

The UK's National Crime Agency (NCA) has dismantled Russian Coms, a notorious call-spoofing service that defrauded hundreds of thousands of victims globally. This operation has led to the arrest of at least four suspects, all British nationals, believed to be key players in the fraudulent scheme that spanned over 100 countries.

In March, the NCA arrested two men in London suspected of developing and administering the platform. A third man, accused of being an affiliate and courier, was arrested in April. This week, an alleged scammer using the service was apprehended in Potters Bar, England.

Russian Coms, active since 2021, enabled criminals to spoof caller IDs of banks and other institutions, deceiving victims into transferring money and divulging personal information. Users of the service paid up to ￡1,400 ($1,800) for a six-month contract, receiving a specially configured smartphone or web app to carry out their scams.

The service facilitated over 1.3 million calls to 500,000 UK phone numbers, with average losses per victim exceeding ￡9,400 ($12,000). The NCA is now focusing on tracking down additional users worldwide in a concerted law enforcement effort.

Sitting Ducks Attack Exposes Over a Million Domains to Hijacking

Researchers from Eclypsium and Infoblox have discovered a critical vulnerability in the DNS system, dubbed the Sitting Ducks attack, that jeopardises over a million domains daily. This technique, exploited by more than a dozen Russian-linked cybercriminal groups, allows attackers to hijack domains without accessing the domain owner’s accounts, facilitating activities like malware distribution, phishing, and data theft.

The Sitting Ducks attack involves taking control of a registered domain at an authoritative DNS service or web hosting provider. Despite being detailed as early as 2016 by researcher Matt Bryant, it remains largely unknown and unaddressed. The attack exploits incorrect configurations at domain registrars and DNS providers, which are preventable issues.

Key aspects of the attack include:

• Lame delegations where authoritative DNS servers lack information to resolve queries.
• Exploitable authoritative DNS providers that attackers can claim without needing domain registrar account access.
• Variants that do not require attackers to register their own domains.

Researchers urge domain holders to:

• Ensure their authoritative DNS provider is the same as their domain registrar.
• Verify that domains and subdomains do not delegate to invalid service providers.
• Check with DNS providers about specific mitigations against this attack.

For DNS service providers, recommendations include:

• Issuing random name server hosts that require registrar changes for domain claims.
• Ensuring new name server hosts do not match previous assignments.
• Prohibiting modifications to name server hosts after assignment.

Collaboration between domain holders, registrars, DNS providers, and the cybersecurity community is crucial to mitigating this widespread and stealthy threat.