TryCloudflare Malware Spread, FBI Scam Alert, Azure Outage Triggered-Cybersecurity News [July 29, 2024]
This week’s latest scoop in cybersecurity will take you to the TryCloudflare exploitation for deploying RATs, the new FBI warning about scammers impersonating crypto exchanges, the MS Azure outage details, new features on Google Chrome against infostealers, and the security gap in Whatsapp for Windows that allows threat actors to run malicious scripts without alerts. Stay tuned to learn more about these and how to stay safe!
Hackers Exploit Free TryCloudflare Service to Spread Remote Access Malware
Researchers at Proofpoint reported that threat actors have been abusing Cloudflare to spread malware and drop RATs (Remote Access Trojans).
The activity has been going on since February, and the threat actors leverage the TryCloudflare free service to distribute RATs like Remcos, VenomRAT, GuLoader, and Xworm. The service allows access to local services by proxying traffic via an encrypted tunnel so there’s no exposure of the IP addresses. It allows users to create temporary tunnels and test them without the need for an account as well. Each tunnel basically generates a temporary, random subdomain that users can use to route traffic, and threat actors have been abusing this feature. They have been targeting the manufacturing, technology, law, and finance sectors by hosting LNK files on such domains and luring victims via phishing emails that lead to the payload. The file executes BAT or CMD scripts when opened and deploys PowerShell, through which the final RAT payload is distributed on the victim systems.
Since the domains are temporary, it is not much use blocking them. The service is free and reliable to use and Cloudflare is taking steps to disable and take down any malicious tunnels they come across.
FBI Issues Warning About Scammers Impersonating Crypto Exchange Staff
The FBI issued a warning this week about scammers who are now impersonating crypto exchange employees to steal finances.
They detailed how these scammers are contacting victims via phone calls and messages and create a sense of urgency, citing a security issue or a hack into the victim’s account to establish contact. After this, they employ social engineering tactics to gain the trust of the victims and steal their login credentials and sensitive information. The scammers use this to gain access to the victim’s accounts and steal all the funds. The FBI shared how you can exercise caution and verify all identities before you divulge any sensitive information to scammers. It’s best that you contact the crypto exchange independently instead of responding to their messages or calls to find out the truth. You can easily stay safe from such scammers by avoiding clicking on any links that they send you, as they are likely to be fraudulent and malicious.
Above all, never share any login information via unsolicited calls or text messages, and do not open attachments provided in emails. Scammers are not just impersonating crypto exchanges and there’s also a rise in of threat actors posing as law firms offering crypto recovery services. Be wary of them as well.
Microsoft Reveals Azure Outage Triggered by DDoS Attack
Microsoft suffered a 9-hour outage on Tuesday when multiple MS 365 and Azure services were down around the world.
The outage impacted many Microsoft platforms and Azure app services. Microsoft shared a mitigation statement in which they outlined that the disruption of services was caused by a DDoS (Distributed Denial of Service) attack. They did not share any news about the type of attack or the threat actor behind it but did share that it activated Microsoft’s DDoS protection mechanisms that amplified the attack instead of mitigating it due to an error in implementation. They have made network configuration changes and also performed failovers to other network paths so users can enjoy all services without any disruption.
Redmond will share a PIR (Preliminary Post-Incident Review) within three days and a final report within 15 days that will share all the details about the outage.
Google Chrome Introduces App-Bound Encryption to Combat Infostealer Malware
This week, Google added an app-bound encryption to its web browser that will offer better cookie and infostealer protection on Windows systems.
Chrome is adopting better techniques provided by operating systems to protect the sensitive data of the users, such as cookies and passwords, using Keychain services on Mac, DPAPI (Data Protection Application Programming Interface) on Windows, and kwallet on Linux. The new Chrome will feature an app-bound encryption that will improve DPAPI and encrypt all data tied to an application identity instead of letting the application with the user login to access said data. The service will confirm an application’s identity and encode it into the encrypted data so only the application can decrypt it, and not any third-party applications, adding a layer of protection. This will stop threat actors as they would need to gain system privileges or deploy malware, triggering anti-virus programs. With the new feature, all passwords, payment data, and authentication tokens will be safe from infostealer attacks.
This is the second update that improves Chrome because last week, Google announced new Chrome warnings that would issue alerts about potentially malicious downloads.
WhatsApp for Windows Allows Python and PHP Scripts to Run Without Alerts
A security issue was discovered in the WhatsApp web interface for Windows that threat actors could use to send Python and PHP attachments, which are executed without any warning.
A similar issue was also discovered and then fixed on Telegram back in April. It only works on systems that already have Python installed, so the target audience is software developers, students, power users, and researchers. When you receive a potentially dangerous file, WhatsApp provides two choices: open it or save it as a file. But if you try to open EXE, COM, DLL, HTA, VBS, SCR, BAT, and Perl files, the execution is blocked, and you can only save these files to the disk; however, if you try to execute PYZ, PYZW, and EVTX files, it does not block the launch and they are executed.
Saumyajeet Das found the issue and reported it to Meta, but the organization has not taken any steps to mitigate it.