Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Sitting Ducks in the DNS
Also: More CrowdStrike Fallout and a US Elections DDoS WarningEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, hackers exploited DNS flaws, Delta said the CrowdStrike outage cost it $500 million, the German BSI wanted the outage's root cause, the FBI said U.S. elections are safe from DDoS attacks, hackers exploited Google Ads, malware hid on Google Play apps, and a hacker stole Bausch Health data.
See Also: Gartner Guide for Digital Forensics and Incident Response
Domain Hijacking Is Easy as Targeting Sitting Ducks
Security researchers from InfoBlox and Eclypsium are warning that hackers are again taking advantage of a known flaw in the Domain Name System.
The method, dubbed "Sitting Ducks," involves a hacker hijacking a domain at an authoritative DNS service or web hosting provider "through weak or nonexistent verification of domain ownership for a given account," Eclypsium said.
Hackers can hijack domains in a number of ways, including by delegating DNS services to a different provider than the registrar. Name server delegation can result in incorrect records such as a domain configured to use a different DNS provider than the authoritative name server and an obsolete name server delegation that no longer points to the correct name service. The delegated name server might be exploitable by hackers who could simply claim ownership. "While these circumstances may seem unusual, they are very common," Eclypsium said.
InfoBlox said it discovered "over a dozen seemingly different threat actors conducting Sitting Ducks attacks," and each of them had a connection to Russia. "Frequently the hijackers host the stolen domains on notorious Russian providers such as Stark Industries and Evil Empire," it added.
Eclypsium estimates that more than 1 million domains are exploitable to Sitting Ducks and that hackers have exploited them more than 30,000 times since 2019.
A Sitting Ducks attack was first described in 2016 in a blog post by researcher Matthew Bryant.
Delta Air Lines Blames IT Outage for $500 Million Loss
Delta Air Lines CEO Ed Bastian said an operational collapse triggered by a flawed July 29 software update from cybersecurity firm CrowdStrike cost the airline $500 million, CNBC reported. The disruption led to thousands of flight cancellations and delays over several days at the United States' second-largest passenger carrier.
Bastian stated the $500 million figure includes lost revenue and costs related to compensating affected passengers and providing hotel accommodations. The CEO said he will sue for damages.
Delta hired the prominent law firm Boies Schiller Flexner to pursue the case. The airline had to manually reboot up to 40,000 systems affected by the outage.
The U.S. Department of Transportation is investigating whether Delta complied with customer support regulations during the disruption.
German BSI Reviews CrowdStrike Global Service Outage
The German federal security agency said it has been in discussions with CrowdStrike and Microsoft to identify the root cause of the recent global outage that disrupted services across the world and will direct the software makers to take steps to prevent future such incidents.
The global outage stemmed from a faulty update pushed on July 19 to CrowdStrike's Falcon endpoint detection and response platform that threw 8.5 million Windows machines across the globe into a perpetual "blue screen of death" loop. CrowdStrike has low-level access to the Windows operating system since it's able to manipulate the central part of the OS, known as the kernel.
The incident crippled services at banks, stock exchanges, doctors' offices and hospitals (see: Banks and Airlines Disrupted as Mass Outage Hits Windows PCs).
The German Federal Office for Information Security, or BSI, on Monday said it will expect - starting in 2025 - the "design and implementation of new, more resilient architectures for running EDR tools with the minimum required privileges while maintaining the same functionality and same level of protection."
US Elections Safe From DDoS Attacks
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency reminded voters Wednesday that distributed denial-of-service attacks can't compromise the integrity of the electoral system or prevent Americans from voting.
DDoS attacks could knock websites "containing information about where and how to vote, online election services like voter registration, or unofficial election results" offline, the agencies said in a public service announcement, but DDoS attacks can't compromise the underlying electoral administration infrastructure - no matter what hackers may claim.
DDoS is a favorite method of self-proclaimed hacktivists. Russia- speaking groups in particular in recent years have aimed DDoS attacks at airports, cloud services and government agencies, but these incidents rarely rise beyond the level of an annoyance (see: Down, Not Out: Russian Hacktivists Claiming DDoS Disruptions).
The number of DDoS attacks against U.S. election infrastructure will likely increase as it gets closer to Election Day, Nov. 5, the federal agencies said.
Google Ad Platform Exploited to Distribute Malware
Threat actors are exploiting Google's ad platform to create fake Google Authenticator ads and spread DeerStealer malware. These malicious ads lure victims by displaying trusted URLs such as google.com
. Malwarebytes identified a campaign in which fake ads for Google Authenticator appeared in search results, leading victims to download malware from online domains such as chromeweb-authenticators.com
.
These ads use URL cloaking to bypass detection and display different websites to reviewers and users. Despite verifying advertiser identities, Google struggles with malicious ads due to the creation of thousands of accounts by threat actors. In response, Google claims to have blocked the reported fake ads and is scaling up its automated and human review systems. Google in 2023 removed 3.4 billion ads, restricted 5.7 billion and suspended 5.6 million advertiser accounts.
New Mandrake Malware Variant Evades Detection on Google Play
Security researchers discovered a new version of an Android cyberespionage malware called Mandrake, initially analyzed by Bitdefender in 2020. Kaspersky researchers identified suspicious samples in April 2024 and confirmed them as an updated Mandrake variant. This version was hidden in five Google Play applications from 2022 to 2024, amassing over 32,000 downloads. The apps included a Wi-Fi file-sharing app and a cryptocurrency price tracker.
The updated Mandrake features enhanced obfuscation and evasion tactics, such as moving malicious functions to obfuscated native libraries, using certificate pinning for secure communication with command-and-control servers and performing tests to avoid detection on rooted or emulated devices.
The new Mandrake operates through a multistage infection chain. The malicious activity at first is concealed in a native library, which decrypts and loads the second stage upon execution. This stage communicates with the C2 server, which may command the device to download and execute the core malware to steal user credentials and deploy additional malicious apps.
Hacker Steals Bausch Health Data
A hacker stole extensive data from Bausch Health and attempted to extort the company, believing the Drug Enforcement Administration might buy back the data, including DEA registration numbers used for prescribing controlled substances. The breach, linked to compromised Snowflake accounts, involves the same hacker connected to previous breaches at Ticketmaster.
The hacker went public on an underground forum, offering 1.6 million DEA numbers and prescriber details for sale, and demanded $3 million from Bausch to prevent the sale of the data while also advertising smaller quantities of DEA numbers for varying prices.
Other Coverage From Last Week
- Mandiant Uncovers Threat Group Behind Basta Ransomware
- Western Sydney University Reveals Major Data Breach
- Ransomware Hit on Florida Blood Center Affects Supplies
- SideWinder Launches New Espionage Campaign on Ports
With reporting from Information Security Media Group's Akshaya Asokan in Southern England and David Perera in Washington, D.C.