info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.
Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware. References :
Classification:
Pierluigi Paganini@securityaffairs.com
//
A sophisticated botnet has been discovered exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to distribute malware through spam campaigns. The botnet leverages a simple DNS misconfiguration, specifically in Sender Policy Framework (SPF) records, allowing malicious emails to appear as if they are coming from legitimate domains. This bypasses email protection techniques, enabling the distribution of trojan malware and other malicious content. The botnet is masking its traffic by using the compromised routers as SOCKS proxies.
The misconfigured SPF records, using "+all" instead of "-all", effectively permits any server to send emails on behalf of the domain, nullifying SPF protections. Attackers are using this weakness to spoof sender domains and send out emails that often mimic shipping companies like DHL, using subject lines referencing invoices or tracking information. These emails contain zip file attachments containing obfuscated JavaScript files that execute PowerShell scripts, connecting victims to a command-and-control server associated with Russian cybercriminal activity. References :
Classification:
@krebsonsecurity.com
//
MasterCard recently corrected a critical DNS error that had gone unnoticed for nearly five years. A misconfiguration in one of their domain name server settings, used to direct internet traffic, could have allowed malicious actors to intercept or divert traffic for the company. The error was a typo where one of their DNS servers was incorrectly configured to use "akam.ne" instead of the correct "akam.net". This mistake potentially exposed them to cyberattacks, as the misconfigured domain could be used to redirect traffic and intercept emails.
The error was discovered by security researcher Philippe Caturegli, founder of Seralys, who noticed the domain "akam.ne" was unregistered. He spent $300 to register it with the top-level domain authority in Niger to prevent cybercriminals from exploiting it. After registering the domain, Caturegli found hundreds of thousands of DNS requests hitting his server daily indicating widespread misconfigurations by others. Caturegli alerted MasterCard about the error, who have since fixed the typo, stating there was no risk to their systems. References :
Classification: |