SecurityBeat: Iranian Security Alert, Netflix Phishing Scam, and More

CISA warns of Iranian cyber activity.

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI has released an alert detailing the cyber assault Iran launched against Albania earlier this month. This alert provides precautions and countermeasures to take in case the campaign spreads beyond its intended Albanian targets.

Leveraging Netflix for credential harvesting.

INKY recently reported on a phishing scam involving the fraudulent use of Netflix’s name.  Users of the streaming service Netflix were the focus of a data harvesting operation from 21-27 August 2022.  The campaign used an attachment containing malicious Hypertext Markup Language (HTML). The markup language instructs a web browser on how to display the page’s text, images, and other media.  

Customers of Netflix were the intended victims of the phishing emails, which were spoofed to appear to have originated from Netflix’s actual domain.   This campaign is an example of a growing trend of criminal social engineering, increasingly sophisticated and less easily identifiable due to clumsy diction and non-standard language.

TeamTNT may be back.

As of Friday September 16th, Aqua Security reported that a threat actor hitting its botnets resembled the criminal group TeamTNT, which targets cloud infrastructure. Back in November, TeamTNT said it was calling it quits, but the organization may have made a surprise comeback. 

Since the fall of 2019, Team TNT has been an active threat actor, primarily focusing on Unix/Linux-based systems, and improperly configured Docker container environments. These technologies are common when leaning forward into continuous development and cloud computing.  Cloud environments are vulnerable to a wide range of threats if an unsecured API port is left open. Docker API ports are one such example

Emotet and other malware delivery systems.

Since the year 2022 began, researchers at AdvIntel have counted over 1.2 million cases of Emotet infection. The Emotet Trojan is widely distributed through unsolicited email. Infections can be spread through document files with macro functionality, malicious links, or malicious scripts. There is a possibility that an Emotet email will use recognizable branding to pass as a legitimate message. The United States accounts for over a third of all reported Emotet infections (35.7%). While originally used by Conti, researchers have found that the Quantum and BlackCat ransomware groups are using Emotet.  Once compromised, the victim host becomes part of the malware distribution botnet. Botnets are networks of hijacked computers used to carry out scams and cyberattacks.

Advertising or Malvertising — Risky piracy sites.

A report outlining piracy websites and advertising was published by the Digital Citizens Alliance in collaboration with White Bullet and Unit 221B. Advertisements on file-sharing sites have also been found to contain malware. According to the findings of the study, in just one month, visitors to piracy sites saw an estimated 321 million malicious advertisements.