Exploitation of Codespaces. Blank-image attacks. Social engineering trend. ICS vulnerabilities. Combined cyber arms

News

At a glance.

  • Codespaces accounts can act as malware servers.
  • Blank-image attacks.
  • Campaigns leveraging HR policy themes.
  • Travel-themed phishing increases.
  • An overview of 2H 2022 ICS vulnerabilities.
  • Ukraine warns that Russian cyberattacks continue.

Codespaces accounts can act as malware servers.

Researchers at Trend Micro have found that GitHub Codespaces, a cloud-based IDE that was released in November 2022, can be abused to create a trusted malware file server. The issue lies in Codespaces' ability to share forwarded ports publicly, which allows developers to preview their projects as an end user:

“We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.”

The researchers explain that “attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments.” Trend Micro also notes that they haven’t seen this technique used in the wild. For more on Codespaces abuse, see CyberWire Pro.

SPONSORED BY 1PASSWORD

Ready to make the switch to 1Password? It’s easy!

Bank logins. Confidential project files. Your grandma's super-secret shortbread recipe. Everything your team or business stores in 1Password is protected by our industry-leading encryption models – because security isn't just a feature. It's our foundation. And with dedicated onboarding and customer success teams at your disposal, switching is easier than you think.

Blank-image attacks.

Avanan, a Check Point Software company, released a blog this morning detailing a new attack in which hackers hide malicious content inside a blank image within an HTML attachment in phishing emails claiming to be from DocuSign. The campaign begins with an email appearing to originate from DocuSign, containing a link and an HTML attachment. The phishing email requests the review and signature of a document claiming to be “remittance advice.” If clicked, the “View Completed Document” button links to a clean, legitimate webpage, but the attachment, however, is not. If the document is opened, the blank image attack begins. The attachment includes an SVG image encoded with Base64 containing Javascript that redirects to the malicious link. Hiding the malware within the empty image attachment hides the true intent of the message, and contains a legitimate link, allowing for the email to bypass link analysis and security scanners. For more on blank-image attacks, see CyberWire Pro.

SPONSORED BY NISOS

Doing Threat Intel is Really Difficult - Try a Managed Intel Service

Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.

Campaigns leveraging HR policy themes.

Abnormal Security released research this morning on phishing attacks purporting to be from internal HR departments with policy updates in the new year. The first attack, a payload-based credential phishing attack, claims to be from the victim’s company Human Resources department informing them of updates to benefits packages. The email asks for the review of an “updated handbook,” which would lead to a credential harvesting login page imitating Microsoft. The other observed link-based attack presented itself as an internal HR email, announcing a new employee handbook containing a link directing to a credential harvesting page. For more on HR-themed phishing, see CyberWire Pro.

Travel-themed phishing increases.

Bitdefender has published a report looking at the prevalence of travel-themed phishing scams. The researchers found that 60% of all travel-themed emails sent between December 20th and January 10th were phishing attacks. Most of the attacks observed by Bitdefender targeted English-speaking users: “Particularly, spammers pushed their travel-themed lures on English-speaking recipients, with 53% of the correspondence targeting US inboxes. The US is followed by Ireland (10%), India (6%), the UK and South Africa (5% each), and Germany (4%).” For more on this form of social engineering, see CyberWire Pro.

An overview of 2H 2022 ICS vulnerabilities.

SynSaber has published a report looking at industrial control system (ICS) vulnerabilities catalogued by the US Cybersecurity and Infrastructure Security Agency (CISA) in the second half of 2022. The researchers found that 35% of vulnerabilities disclosed in 2H 2022 don’t currently have a patch available, and 33% will require a firmware update. Additionally, 43% of vulnerabilities were discovered by security researchers rather than the equipment manufacturers. The researchers also note that 22% of the vulnerabilities “require local or physical access to the system in order to exploit (up from 23% during the first half of the year).” For more on recent ICS vulnerabilities, see CyberWire Pro.

Ukraine warns that Russian cyberattacks continue.

The Guardian reports that Viktor Zhora, of Ukraine’s State Service of Special Communication and Information Protection (SSSCIP), is visiting Britain's GCHQ this week, and has said that Russian cyberattacks have tripled over the past year, and continue at a high rate. Interestingly, he said that “in some cases, cyber-attacks supportive to kinetic effects” have been seen; that is, Ukraine sees signs that Russia is attempting to integrate cyber operations and information operations with missile strikes and action on the ground.

Mr. Zhora's remarks are consistent with a report his agency issued earlier this week, "Cyber Attacks, Artillery, Propaganda. General Overview of the Dimensions of Russian Aggression." The report stresses signs that Russian attempts at coordinated operations have increased, that Russian targeting has been not just indiscriminate, but directed against civilians, and that Russian cyber operations can amount to war crimes. The cyberattacks have generally been parried by Ukrainian defenses, but they remain an enduring threat. The report ends with a call for more international cooperation against cyberattacks, whether by Russia or other "authoritarian regimes," and notes the value of considering those states' military doctrine in forecasting their probable courses of action in cyberspace. It calls for international recognition of the ways in which cyber operations can constitute either crimes against peace or war crimes, and it urges an expansion and tightening of economic sanctions against Russia.

The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.

Notes.

Today's issue includes events affecting the European Union, France, Germany, Israel, Morocco, the Netherlands, Poland, Russia, Ukraine, the United Kingdom, and the United States.

Read the Full Article
Get updates to your inbox
Our latest tips, insights, and news
Follow DoControl on social media
DoControl - SaaS data access control - Linkedin logoDoControl - SaaS data access control - Twitter logo
Get updates to your inbox
Our latest tips, insights, and news