Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A new sophisticated phishing campaign has been found exploiting a zero-day vulnerability in Salesforce’s email service. This campaign features a Meta-themed email, warning the victim that their Facebook account is facing suspension. The interesting part here is the link in the email, which leads the user to a legitimate Facebook terms of service page, before redirecting them to the phishing destination where their credentials will be stolen. The incorporation of this legitimate Facebook link not only aids in fooling the user, but also helps the email to evade security mechanisms. This zero-day allowed threat actors to send emails from an address using thew Salesforce domain, which further convinces the victims that they are viewing a genuine email. Salesforce were notified of this zero-day in late June and have since patched the flaw for all impacted services.
The NoName hacker group has been active recently, with their latest campaign focusing on the disruption of top Italian banks. The most recent statement from the Italian National Authority for Cybersecurity reports DDoS attacks against at least 5 different banks. The websites of these major banks were taken offline for a short period, preventing customers from accessing their banking services. The group responsible, NoName, has claimed responsibility for all these recent attacks in their Telegram channel, where they have shared details of the attacks.
This week, Microsoft revealed that a recent string of targeted social engineering attacks was orchestrated by the Russian state-sponsored group Midnight Blizzard. These credential theft attempts are being sent via Microsoft Teams chat, and specifically target users belonging to an already compromised 365 tenant. The full attack involves the attacker compromising a Microsoft 365 tenant, setting up a subdomain and posing as a technical support user, and finally using this support account to fool the user into approving an MFA prompt.
More details on these attacks can be found here.
American apparel brand, Hot Topic, has reported suspicious login activity for multiple “hot topic rewards” accounts. Investigation into these suspicious logins found that credential-stuffing attacks have been launched against their website and mobile application. The unknown threat actor used information likely bought off the dark web to gain access to customer accounts. It is possible the threat actor was able to collect names, email addresses, order history, phone numbers, mailing addresses, and birthdays from the breached accounts. Hot Topic is currently working alongside cybersecurity experts to implement new measures to protect its website and mobile platforms from credential-stuffing attacks as well as emailing users with instructions to reset their password and encouraging strong, unique passwords for its customer accounts.
Ninja Forms, a plug used on around 900,000 sites, could allow a hacker to steal sensitive information input into website forms. The most critical vulnerability allowed users who were website subscribers or contributors to export all data that other users have entered via the site's forms. Originally discovered by Patchstack in June 2023, they reported the vulnerability to the plugin’s developer Saturday Drive for it to be patched however Patchstack has said the latest patch, Ninja Forms version 3.6.26, is incomplete and still leaves websites open to a data breach. Websites are recommended to disable the plugin where possible or update to the latest version for better protection.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #245 – 4th August 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.