Jul 05 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that reckons they’ll be a 90 minute drop in cyberattacks at 5pm GMT while the world watches Germany Spain ⚽🏟🥅 #EURO2024
It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.
Congrats, the cybercriminals are no match… for your patch! 🩹🩹🩹
Check out this freshly hatched patch 🐣
🚨🔒 Critical Rockwell Automation Security Flaws Patched! 🔒🚨
Microsoft revealed two serious flaws in Rockwell Automation PanelView Plus, allowing remote attackers to execute code and trigger DoS attacks. CVE-2023-2071 (CVSS 9.8) affects FactoryTalk View Machine Edition 🖥️, and CVE-2023-29464 (CVSS 8.2) impacts FactoryTalk Linx 📡. Both vulnerabilities, now patched, could be exploited by unauthenticated attackers via malicious packets 📦💣. 🛡️🔒 Update to the latest version to protect your system and stay secure! 💻✨🚀
Now, on to today’s hottest cybersecurity news stories:
🌐 380k hosts impacted by Polyfill[.]io attack 💥
👨🏻💻 Average ransomware demand reaches 5.2M 💰
🎥 Hacked YouTube accounts spread malware 👾
The supply chain attack on the popular Polyfill[.]io JavaScript library is more extensive than initially thought. Here's the latest:
🌐 Massive Scope
Censys has discovered that over 380,000 hosts are embedding a Polyfill script linked to a malicious domain as of July 2, 2024. These hosts reference "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses.
🍺 High Concentration in Germany
Approximately 237,700 of the affected hosts are located within the Hetzner network, primarily in Germany. Hetzner is a popular web hosting service, widely used by website developers.
🏢 Big Names Affected
Analysis reveals that domains tied to major companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson reference the malicious endpoint.
📆 Attack Details
In late June 2024, Sansec revealed that code hosted on the Polyfill domain was modified to redirect users to adult and gambling websites at specific times of the day. This nefarious behavior was introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.
🚫 Actions Taken
Following the discovery, domain registrar Namecheap suspended the domain, Cloudflare replaced Polyfill links with safe mirror sites, and Google blocked ads for sites embedding the domain.
🚨 Persistent Threat
The operators attempted to relaunch the service under polyfill[.]com, which was also taken down. However, polyfill[.]site and polyfillcache[.]com remain active, with the latter still operational.
🔍 Broader Malicious Campaign?
Censys uncovered a network of potentially related domains, including bootcdn[.]net, bootcss[.]com, and staticfile[.]net. One domain, bootcss[.]com, has been engaging in similar malicious activities since June 2023. Censys identified 1.6 million public-facing hosts linking to these suspicious domains.
⚠️ Future Risks
It’s possible that the same malicious actor behind the attack might exploit these other domains for similar activities in the future.
🔐 WordPress Security Alert
WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through numerous legitimate plugins that link to the rogue domain.
Stay vigilant and secure! 🛡️
Ransomware attacks are hitting harder than ever, with extortion demands soaring to new heights.
📈 Record High Demands
The average ransom demand in H1 2024 was over $5.2 million (£4.1 million), according to Comparitech. This figure comes from 56 known demands issued by threat actors from January to June 2024.
💸 Major Attacks
$100 million (£78.9 million): India's Regional Cancer Center (RCC) in April 2024.
$50 million (£39.4 million): UK pathology provider Synnovis, causing thousands of cancellations.
$25 million (£19.7 million): Canadian retailer London Drugs in May 2024 by LockBit.
📂 Records Stolen
421 confirmed ransomware attacks impacted 35.3 million records in H1 2024. This is a reduction compared to H1 2023's 704 attacks affecting 155.7 million records. However, ongoing disclosures will likely increase these numbers.
🏢 Affected Sectors
Private Businesses: 240 incidents, 29.7 million records.
Government: 74 attacks, 52,390 records.
Healthcare: 63 attacks, 5.4 million records.
📝 Top Incidents by Records
LoanDepot: 16.9 million records
Izumi Co: 7.7 million records
Prudential Insurance: 2.5 million records
India’s RCC: 2 million records
Ann & Robert H. Lurie Children’s Hospital of Chicago: 791,784 records
🦠 LockBit Dominates
LockBit was the most prolific ransomware group with 48 confirmed attacks in H1 2024, despite a significant law enforcement takedown in February. Other prominent groups include:
Medusa: 31 attacks
BlackBasta: 27 attacks
Akira: 20 attacks
8Base: 17 attacks
INC Ransom: 16 attacks
🚨 New Trends
An increasing number of groups no longer encrypt files but rely solely on data theft for extortion.
🔒 Stay Safe!
As one of today’s most popular social media platforms, YouTube is often in the crosshairs of cybercriminals who exploit it to peddle scams and distribute malware. The lures often involve videos posing as tutorials about popular software or ads for crypto giveaways. Fraudsters embed links to malicious websites in video descriptions or comments, disguising them as genuine resources related to the video’s content.
Thefts of popular YouTube channels extend the reach of fraudulent campaigns to untold numbers of regular users. Cybercriminals repurpose these channels to spread crypto scams and info-stealing malware through links to pirated and malware-laden software, movies, and game cheats. YouTubers who have their accounts stolen face loss of income and lasting reputational damage.
How can cybercriminals take over YouTube channels? 🔑
More often than not, it starts with phishing. Attackers create fake websites and send emails that look like they are from YouTube or Google, tricking targets into surrendering their “keys to the kingdom.” They tout sponsorship or collaboration deals as the lure, with messages including attachments or links to files that supposedly detail terms and conditions.
In many cases, the threat becomes more acute if accounts are not protected by two-factor authentication (2FA) or if attackers circumvent this safeguard. Since late 2021, content creators need to use 2FA on the Google account associated with their YouTube channel. Attackers also steal session cookies from victims’ browsers, bypassing additional security checks involved in the authentication process. Alternatively, attackers use credentials from past data breaches to break into existing accounts, relying on the fact that many people reuse passwords across different sites. Brute-force attempts with automated tools to try numerous password combinations can also succeed if people use weak or common passwords and skip on 2FA.
Staying out of harm’s way on YouTube 💡
Use strong and unique login credentials.
Create strong passwords or passphrases and avoid reusing them across multiple sites.
Use a strong form of 2FA, involving authentication apps or hardware security keys instead of SMS-based methods.
Be cautious with emails and links.
Be skeptical of messages claiming to be from YouTube or Google, especially if they ask for personal information or account credentials.
Avoid clicking on suspicious links or downloading attachments from unknown sources.
Keep your operating system and other software updated to protect against known vulnerabilities. Keep tabs on your account activity, regularly checking for any suspicious actions or login attempts. If you suspect your channel has fallen prey to an attack, refer to guidance from Google.
Educate yourself about the latest cyber threats and scams targeting YouTube users. Knowing what to look out for can help you avoid falling victim to these threats. Report and block suspicious content, comments, links, or users on YouTube. Blocking such users can prevent further contact. Secure your devices with multi-layered security software to protect against a variety of threats.
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!