The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- DNS dependencies have increased. More than 40% of the 100,000 most visited websites would be unavailable due to DNS resolution issues if one of the major DNS service providers were to go down.
- Vietnam has increased its cyber presence. Although not traditionally associated with major cyber threat groups, Vietnam has increasingly been attributed as the nation state backing several cyber espionage and crypto-mining attacks.
- In other news this week, 300,000 Spotify user account details found in an open database, Russia seeks to ban social media sites, and ransomware strikes schools in Alabama.
Critical dependencies on DNS providers increase
- A group of researchers conducted a study on the most visited 100,000 websites to determine the redundancy in the DNS resolution of website operators.
- The research revealed that 89% of the websites use a third-party DNS provider rather than managing their own DNS infrastructure and that 85% of websites relied solely on a single DNS provider, without any backup redundancy in the event of a disaster scenario. This is a 5% increase since 2016.
- Currently, the top three DNS providers, Cloudflare, AWS, and GoDaddy, are the single DNS providers to almost 40% of the top 100,000 websites.
So what for security teams? The research here highlights a need for redundancy in critical infrastructure, not just DNS. Organisations need to have a clear idea of their business-critical assets and the redundancies in place, as well as maintain a disaster recovery plan that details the recovery actions to be taken during a system failure or cyber-attack. Disaster recovery plans need to be tested regularly to minimise downtime during a real incident.
Vietnam: A rising cyber threat
- Vietnam may not traditionally be considered a nation involved in major cyber espionage or cyber-attacks, but this position has started to change.
- This week, security researchers linked a new backdoor-installing malware, that targets Apple MacOS users, to OceanLotus (aka APT32 aka Bismuth), a threat group believed to be backed by the Vietnamese government. OceanLotus has historically targeted international organisations operating in Vietnam in cyber espionage campaigns. OceanLotus’ backdoor campaign aims to grant the group access to compromised machines and ultimately provide them an opportunity to exfiltrate confidential information. It usually starts its attacks with phishing emails that disguise a malicious Zip file as a Word document.
- Microsoft also attributed a crypto-mining malware campaign to OceanLotus this week. According to Microsoft researchers, in addition to their traditional cyber espionage activities, OceanLotus has also started to profit by covertly using their victims to mine cryptocurrency. The threat group’s crypto-mining operations may also disguise their cyber espionage attacks, should they be discovered by security teams.
So what? OceanLotus’ recent activity is indicative of a broader movement into the world of cyber warfare by countries usually not associated with such activity. Many of these countries have started to increase their cyber operations in an effort to gain a competitive advantage over their rivals, both in the private sector and government. Vietnam in particular has emerged as the newest big player in the world of cyber espionage. Although not usually associated with cybercrime to the same extent as some other Asian nations, such as China or North Korea, this is quickly changing. Dark web activity and chatter in the Vietnamese language is increasing and so are cyber-attacks against foreign companies operating in Vietnam.
Ransomware extends Thanksgiving break
- A ransomware attack has forced Huntsville City Schools district to shut down its schools in Alabama this week and possibly next week. The school district asked students, family, and faculty to shut down all district-issued devices, as it responds to the incident. The ransomware variant involved is so far not publicly known.
- The news comes after Baltimore County Public Schools district was forced to end classes just before Thanksgiving last week due to a ransomware attack. Baltimore County Public Schools had been holding classes fully online due to the pandemic.
So what for security teams? The pandemic has forced schools to be increasingly reliant on digital infrastructure in order to hold classes. This has presented ransomware operators with increased opportunity to target schools. Security is playing catch-up in the education sector. Educational institutions must recognise that an increased reliance on digital platforms exposes them to greater risk and take steps to protect against the threat posed by ransomware operators. Ensuring backups are up-to-date and that no Remote Desktop Protocol (RDP) is exposed to the internet is a good start.
Spotify resets accounts to hinder credential-stuffing attack
- Spotify has been resetting passwords to prevent account takeovers. This was prompted by the discovery of a database containing over 380 million records, including login credentials, “being validated against the Spotify service," as part of a credential-stuffing operation.
- Researchers at vpnMentor discovered an open Elasticsearch database which “belonged to a third party that was using it to store Spotify login credentials.” The researchers note that the credentials (including email addresses, usernames, and passwords) were most likely taken from third-party breaches and collated by the third-party for the purposes of compromising the accounts of Spotify users. The operation reportedly affected between 300,000 and 350,000 Spotify users.
So what for security teams? This story highlights the importance of ensuring employees do not reuse passwords or sign-up to third-party services using corporate credentials. When those third-party services are breached, hackers will match breached passwords to other accounts the user holds, including their work accounts, in order to access those accounts, (known as credential-stuffing). To secure your organisation against such attacks, we recommend implementing multi-factor authentication (MFA) on employee accounts and monitoring for employee email addresses in breaches (easily done by registering your domain with the site Have I Been Pwned).
Russia angles to ban social media sites
- Russia is seeking to ban social media sites for “discriminating against Russian news outlets.” A draft bill before the Duma (the Russian parliament) proposes blocking sites such as Facebook, Twitter, and YouTube, for exhibiting “discriminating” behaviour by censoring social media accounts belonging to Russian news outlets.
- In an effort to combat disinformation, Facebook, Twitter, and YouTube have been adding labels to the profiles of state-affiliated news agencies (such as Russia Today and Crimea 24) and reducing the visibility of these news agencies on their platform by removing them from recommendation algorithms.
So what? This is not the first time Russia has tried to control how its citizens access information on the internet. Previous attempts have included blocking end-to-end encrypted apps such as Telegram and fining tech companies for not censoring ‘dangerous’ content. This story is a reminder that, while Russia may leverage social media sites to run disinformation campaigns abroad, it sees social media as a threat to its control of information flows at home. How Russia regulates social media and other tech companies is worth watching carefully – it will impact anyone conducting business in Russia and may indicate how other countries, especially non-democracies, concerned about controlling information on the internet, proceed, looking to Russia as an example.