Tackling Password Reuse, SubdoMailing Ad Fraud, Ancient CMS Exploits, and LockBit’s Resurgence

The Daily Decrypt

Tackling Password Reuse, SubdoMailing Ad Fraud, Ancient CMS Exploits, and LockBit's Resurgence

00:00 /

From the stubborn issue of password reuse despite extensive training, to the audacious ad fraud campaign SubdoMailing, leveraging hijacked domains for malvertising. Learn about the revival of ancient CMS vulnerabilities targeting government and educational sites, and the defiant resurgence of the LockBit ransomware group post-crackdown. Join us for insights into battling digital threats and safeguarding the internet landscape.

Original URLs:

Transcript:

Feb 27

[00:00:00] announcer: Welcome to The Daily Decrypt, the go to podcast for all things cybersecurity. Get ready to decrypt the complexities of cyber safety and stay informed. Stand at the frontier of cybersecurity news, where every insight is a key to unlocking the mysteries of the digital domain. Your voyage through the cyber news vortex starts now.

[00:00:29] offsetkeyz: All right. Good morning, everyone.

[00:00:31] offsetkeyz: Today is February 27th and you’re listening to the daily decrypt today. We’re joined by hot girl farmer to do more reactions to your favorite segment. Who’s been popped.

[00:00:41] transition: Oh my gosh, they got popped?

[00:00:42] offsetkeyz: Next up we’re cracking open the not so secret world of password reuse. Revealing that despite a delusion of cybersecurity training, many still can’t resist the siren call of one, two, three, four, five, six. Then we’ll explore the shadowy depth of sub domain [00:01:00] calling. We’re hijack domains are not just a breach of trust, but a mailman’s worst nightmare delivering scams, right to your inbox.

[00:01:08] offsetkeyz: Makes you miss the days where spam was just a can of meat, right?

[00:01:11] offsetkeyz: Next. We dust off the archives to find an ancient content management system. Making a comeback. Providing that.

[00:01:19] offsetkeyz: Proving that in the cyber world, old bugs are just vintage hacks, waiting for their second wind.

[00:01:25] offsetkeyz: And finally we’re locking down the story of the lock bit. Ransomware groups, resurgence, a tale of digital defiance that proves you can’t keep a bad virus down.

[00:01:34] transition: Do, do, do, do, do, do, do, do, do.

[00:01:40] offsetkeyz: All right. So before we dive into your favorite segment, who’s been popped. Just wanted to remind everyone that we understand that these situations are very serious and.

[00:01:49] offsetkeyz: They will be delivered in a lighthearted way. Using dad jokes, but our goal is to just deliver the news in a fun and consumable way.

[00:01:58] offsetkeyz: Our hearts are out there with [00:02:00] everyone going through these hard times.

[00:02:02] offsetkeyz: So without further ado. Welcome hot girl farmer.

[00:02:05] HGF: Hi again

[00:02:07] offsetkeyz: uHaul reports, a data breach that affected 67,000 customers.

[00:02:12] HGF: I guess that’s one way to lighten your load.

[00:02:15] offsetkeyz: Phoenix, Arizona based moving company, you haul experienced a data breach last year that affected roughly 67,000 customers across the U S and Canada. The company confirmed on February 23rd. You hold discovered the breach, which occurred through hacking between July 20th and October 2nd and an early December, 2023. During the breach customer’s names, birth dates and driver’s license numbers were acquired.

[00:02:38] offsetkeyz: According to Jeff Lockridge. The breach occurred after an unauthorized party used legitimate credentials to access a system used by UL, dealers and employees to view customers reservations and records.

[00:02:50] offsetkeyz: American vision partners, announces data breach affecting 2.3 million eyecare patients.

[00:02:57] HGF: Too bad. They didn’t see this [00:03:00] coming.

[00:03:00] offsetkeyz: On February 6th medical management resource group. American vision partners filed a notice of data breach with the us department of health and human services offices. The company explained the incident resulted in an unauthorized party, being able to access customer sensitive information. Which includes their names, social security, numbers, contact information, dates of birth, certain medical information and insurance information.

[00:03:26] offsetkeyz: Security week reports that the incident impacted roughly 2.35 million individuals.

[00:03:32] offsetkeyz: Us health tech giant change healthcare was hit by a cyber attack.

[00:03:38] HGF: Change healthcare more like change your passwords.

[00:03:42] HyperX QuadCast S & Razer Kiyo Pro-1: The company said it was experiencing a network interruption related to a cybersecurity issue. And once we became aware of the outside threat in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. The incident began on February 20th in [00:04:00] Nashville, Tennessee.

[00:04:01] HyperX QuadCast S & Razer Kiyo Pro-1: And the company stated on its website that it handles 15 billion healthcare transactions annually. And that one in three us patient records are touched by our clinical connectivity solutions.

[00:04:14] HyperX QuadCast S & Razer Kiyo Pro-1: Australian internet service provider Tangerine has suffered a data breach with the full names, dates of birth, email addresses, and mobile phone numbers of more than 200,000 customers. Being taken by hackers.

[00:04:26] HGF: You know what they say when life hands you tangerines. What.

[00:04:32] HGF: Tangerine said in an email to customers that their personal information was disclosed on a breach on February 18th, which was reported to management two days later. The phone and broadband provider is headquartered in south Melbourne. And as one of Australia’s fastest growing internet providers.

[00:04:48] HGF: And our final breach is a DDoSs attack that hits the university of Cambridge in England and other UK colleges.

[00:04:56] HGF: This was not smart.

[00:04:57] HyperX QuadCast S & Razer Kiyo Pro-1: The university of Cambridge in England reported [00:05:00] that it was the victim of a cyber attack on February 19th, students were notified of the attack, which affected its access to it services such as campsis the university’s comprehensive system for handling student information records and transactions. And Moodle it’s virtual learning environment.

[00:05:27] offsetkeyz: Man. I love talking about passwords.

[00:05:30] offsetkeyz: And most cybersecurity professionals probably do as well. Unless they’re sick of talking about passwords because Hey, guess what? There’s one thing you can do to drastically improve. Your cybersecurity posture, and that’s not reuse passwords.

[00:05:44] offsetkeyz: Recently last pass came out with some research. That they did.

[00:05:49] offsetkeyz: To help understand the efficacy of those cyber awareness training videos circulating around. Corporations. And government [00:06:00] buildings.

[00:06:00] offsetkeyz: And they found that a staggering 79% of individuals found the training helpful. Yet a mere 31%. Ceased the practice of password reuse.

[00:06:12] offsetkeyz: So essentially thanks for the training. Um, no. Guys, it’s not that scary. It’s actually easier to use a password manager to generate all your passwords for you. And then you get to be one of those 31% of cool kids who don’t reuse any passwords. Password reuse emerges as a particularly vexing issue. Bit warden finds that 84% of internet users admit to such practices. Which triggers a few alarms, especially for it teams.

[00:06:42] offsetkeyz: Compromise personal passwords can serve as a backdoor for attackers into a more secure organizational network.

[00:06:48] offsetkeyz: in our show notes. You’ll find an article that. Recommends a multifaceted approach to combating these challenges by integrating technology with training. To foster a more secure password culture. Among the [00:07:00] suggested strategies are running password audits, enforcing strong password policies, utilizing password managers and implementing multifactor authentication. Nothing you haven’t heard here.

[00:07:11] offsetkeyz: The time is winding down.

[00:07:13] offsetkeyz: Grab a glass of wine. And set up your password manager, send us a DM. If you want recommendations. Spoiler, we’re going to recommend one password.

[00:07:29] offsetkeyz: So there’s a new attack out there called sub-domain. which sounds like sub domain.

[00:07:35] offsetkeyz: And it’s exploiting over 8,000 legitimate internet domains and 13,000 sub domains to send up to 5 million emails per day. These hijacked sub-domains of major brands are being used in a colossal spam campaign to generate revenue through scams. And malvertising.

[00:07:53] offsetkeyz: Imagine receiving an email from a domain belonging to trusted names like MSN VM-ware. [00:08:00] Even the economist. You think it’s safe, right? That’s exactly what the orchestrators behind subdomains are. Banking on. By hijacking these abandoned sub domains, the threat actors bypass spam filters with ease, even manipulating email verification protocols like SPF. And D K I M to cloak their nefarious emails in a veil of legitimacy.

[00:08:21] offsetkeyz: Basically all this is saying, is that major names, like the ones listed before. I have let sub domains, which is the part to the left of their main domain. Like shop.amazon.com. shop.amazon.com. Includes the subdomain shop. And they’ve let these sort of expire because they’re not being used anymore. Well, it turns out. Bad actors can go buy them up and send emails from them and do all kinds of nefarious things.

[00:08:53] offsetkeyz: So just be very vigilant about what you’re clicking on.

[00:08:57] offsetkeyz: Try to reduce the amount of links you click on in [00:09:00] your email. And arm yourself with knowledge, know that. Not all sub-domains are safe.

[00:09:10] offsetkeyz: So cyber crooks have dusted off a 14 year old content management system editor known as F CK editor. To launch a devious scheme. Their targets. None other than education and government websites across the globe.

[00:09:26] offsetkeyz: These digital desperadoes are exploiting. What’s called open redirects. So in layman’s terms, this is when a website sends you to another page without checking.

[00:09:34] offsetkeyz: If it’s legit.

[00:09:36] offsetkeyz: Using this ancient artifact of the internet, the content management system attackers are pulling a fast one on search engines. They’re boosting scam sites in your search results, which is a dirty trick. Known as SEO poisoning. It’s like rigging the internet popularity contest to make the bad guys look good.

[00:09:55] offsetkeyz: So this specific editor F CK editor was once the crown jewel of [00:10:00] web editors, letting users tweak websites with ease. Sort of like the Squarespace of the time.

[00:10:07] offsetkeyz: So fast forward to today and. It’s the hacker’s tool of choice for their redirect ruse.

[00:10:13] offsetkeyz: This article, basically just. Highlights. The fact that hackers are very creative. And despite all of our efforts, it’s going to be a continuous cat and mouse game to try to stop them. They’re going to pull out old tools and use them in ways they weren’t intended to be used.

[00:10:28] offsetkeyz: So be careful what you’re clicking out there.

[00:10:30] offsetkeyz: Same message. If they’re not paying for ad space on Google, they’re using these tools to boost their standings on Google SEO.

[00:10:38] offsetkeyz: And these search results can look remarkably like. Legitimate. Websites.

[00:10:43] transition: Uh,

[00:10:55] offsetkeyz: And finally it looks like the lock bit ransomware group. Despite a [00:11:00] global crackdown has popped back up on the dark web.

[00:11:04] offsetkeyz: Flock bit ransomware group is infamous for its cyber extortion tactics. And has appeared to have been dealt a crippling blow by an international law enforcement effort. In a dramatic turn of events though, just days after their infrastructure was dismantled lock bits leader, defiantly posted a message and relisted alleged victim organizations.

[00:11:26] offsetkeyz: So I say alleged because it looks like all the organizations they’re listing as having been breached by them. I was done. All the breaches had been done prior to them being shut down. So. It’s likely a show of force.

[00:11:41] offsetkeyz: And not actually a legitimate threat at this time. They’re still trying keep your eyes out for everything you know about them. But. Not too much to worry about yet. Hopefully it stays that way.

[00:11:54] offsetkeyz: These silly guys, you know, they just have their egos and they want them stroked.

[00:12:00] So that’s all we got for you today. Thanks to hot girl farmer for coming on and reacting. To the breaches of the week.

[00:12:13] offsetkeyz: We’ll talk to you some more tomorrow.