Cyber Security Today, Feb. 28, 2024 – Thousands of subdomains abused for phishing, the latest ransomware news and more

Thousands of subdomains abused for phishing, the latest ransomware news and more.

Welcome to Cyber Security Today. It’s Wednesday, February 28th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Over 8,000 sub-domains owned by or affiliated with big brands have been hijacked and used to send millions of malicious emails a day. That’s according to researchers at Guardio. Victim firms include Microsoft MSN, VMware, McAfee, CBS, Marvel, eBay Cornell University, The Economist and more. The tactic is called “SubdoMailing.” It works like this: Say a company named Acme wants a domain on MSN. The domain is “acme[dot]msn[dot]com.” Later it creates a subdomain to offer a game for customers — say that subdomain is “acme[dot]games[dot]msn[dot]com.” Then Acme abandons that subdomain. That leaves it open for a threat actor to buy the abandoned subdomain and use it to launch mass phishing campaigns by linking it to hundreds of IP addresses. Phishing messages appear to come from msn.com. To users — and more importantly to email gateways — it looks like a legitimate address. In fact, the report says 22 years ago home designer Martha Stewart created a subdomain when she ran a sweepstakes, then abandoned the subdomain. Now its being used by a scammer. Guardio suspects there’s one threat actor behind this phishing campaign. I’ve simplified the tactic. But what website owners need to do is regularly check their domains for signs of compromise and remove unused subdomains and associated DNS records.

The cyberattack that hit American prescription processor Change Healthcare last week is ransomware according to two news reports. Reuters and TechCrunch say the BlackCat/AlphV ransomware strain was involved. On the other hand SCMagazine.com says it was a strain of the LockBit ransomware. Regardless, the result of the attack is that many U.S. pharmacies, hospitals and healthcare providers are unable to process prescriptions. According to TechCrunch, the U.S. military’s health insurance provider says the attack is impacting all military pharmacies around the world. SCMagazine.com says the attacker exploited a vulnerability in ConnectWise ScreenConnect application for help desks. That vulnerability was publicly reported on February 19th.

Last December law enforcement agencies took down an AlphV gang’s website. According to The Record, after that a message was spotted apparently from the gang promised to start allowing its affiliates to attack previously forbidden targets like hospitals.

The Record also reports that ransomware is behind a cyber attack on Chicago’s Lurie Children’s Hospital. The Rhysida ransomware gang has listed this hospital as one of its victims. To learn more about this group check out the background report on Rhysida released last week by researchers at eSentire. This is the gang that last year hit Prospect Medical Holdings, which owns 16 hospitals and 166 outpatient clinics in the U.S, and the British Library. Full restoration of services at the British Library may not happen until the end of the year.

WordPress administrators with systems that use the LiteSpeed Cache plugin are urged to update the app as soon as possible. Researchers at Patchstack say the plugin has a vulnerability that could allow any unauthenticated user to get in and steal sensitive website information.

The U.S. National Institute of Standards and Technology has released version 2 of the NIST Cybersecurity Framework. This framework is used by organizations around the world to design their cybersecurity practices and strategy. The new version is aimed at organizations of any size, not just those in critical sectors. It also has a new focus on governance, which is how organizations make and carry out decisions on cyber strategy, as well as securing supply chains.

Finally, the U.S. National Cyber Director is urging application developers to improve the security of their software by switching to memory-safe programming languages. Many application holes are caused by memory vulnerabilities created in languages like C and C++. There are dozens of better languages to use including C#, Go, Java, Python, Rust and Swift. The report also urges developers to take other action to improve application security and quality

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

ITWorldCanada.com also has daily podcast on general IT news called Hashtag Trending. Check it out.

Thanks for listening. I’

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Sponsored By:

Cyber Security Today Podcast