Press "Enter" to skip to content

Browser in the Browser attacks take the headline as Log4J lingers

A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. This allows a new “Browser in the Browser” attack, creating fake browser windows within genuine browser windows to create convincing phishing attacks.    It’s not entirely a new attack however – it was used by fake gaming sites in 2020 to steal Steam credentials.    A set of templates have been released on GitHub, allowing redteamers to use them to create convincing phishing sign-in forms to test the defense of their clients or their own company’s employees.

CISA and the FBI said last week they’re aware of “possible threats” to satellite communication (SATCOM) networks in the US and worldwide.  The security advisory also warned US critical infrastructure organizations of risks to SATCOM providers’ customers following network breaches.   The warning is related to the war in Ukraine, as outages to SATCOM operators started on February 28… coinciding with Russia’s invasion of Ukraine. 

New versions of Conti’s ransomware source code have been reportedly leaked by a researcher displeased with the group’s public declaration of support to Russia.   Over the weekend, a link to the new package was published under the “Conti Leaks” Twitter handle. The source code has been uploaded to VirusTotal, and while password-protected, the information required to open the file is available to cybersecurity teams.  Conti has previously declared support of Russia’s invasion of Ukraine.  

Conti has certainly been under scrutiny – Google’s Threat Analysis Group has exposed the operations of a threat actor group dubbed “EXOTIC LILY,” an initial access broker linked to the Conti and Diavol ransomware operations.   “EXOTIC LILY” uses large-scale phishing campaigns to breach targeted corporate networks and then sells access to those networks to ransomware gangs.  Of note to listeners, the TAG analysis broke down that the threat actors work primarily from 09:00 AM to 05:00 PM EST during weekdays and log very little activity during the weekends.   A 9-to-5 job.     The recent Conti Leaks show that many threat actors run their operations like a business, requesting days off, reporting to managers, and receiving salaries.

On the defender’s side, Orca Security released a study that details how a flood of security alerts can easily trigger alert fatigue.   59% of the respondents said their security teams are hit with more than 500 alerts each day. Beyond the sheer volume, a fair number of the alerts are inaccurate or unnecessary. Many said that 40% of the alerts are either false positives or of low priority.   Fewer than 10% of the alerts received are truly critical and need immediate attention. But finding those critical alerts amid all the unimportant ones requires time and effort. More than half of the respondents said they spend at least 20% of their day reviewing alerts and determining which ones to prioritize. 

If you think Log4J is old news…. A new study indicates that 30% of Log4Shell instances remain unpatched.

Why do we care?

Old and new.  Patching is the beast that never gets solved.  How much attention was given to Log4J… and still, 30% unpatched.       That’s the same old problem… over and over again.  Not saying I have a solution… but then again, an unsolved problem indeed cries out for some innovation.

The other “old news” here is the business-like nature of those ransomware operations.    I have covered that here before.  

However, on the new, is both the changing attack vector – Browser in the Browser is new enough to be a new vector – and how politics play into criminal activity.    Gangs are turning on each other here over politics.. and war.   

The new action here is incorporating those new attack vectors into defense.