FBI Alert Issued As Time Traveling Hackers Attack — Act Now
The Federal Bureau of Investigation (FBI) has issued a critical security advisory warning about time-traveling hackers who are using advanced tactics to bypass security controls and attack critical infrastructure targets.
Medusa, a notorious ransomware attack that has impacted at least 300 critical infrastructure targets, is believed to be the source of this threat. The FBI outlines the tactics, techniques, and procedures (TTPs) used by Medusa attackers in its cybersecurity advisory AA25-071A. However, what's making headlines now is the discovery of a time-traveling hacking technique used by Medusa attackers.
According to Boris Cipot, a senior security engineer at Black Duck, Medusa attackers are creatively abusing system misconfigurations to bypass security controls. The attackers have created a security certificate that is valid back in 2012, but this certificate has expired. By changing the system date to a time when the certificate was still valid, the attackers can load an expired driver and gain access to the system.
"The malware is effectively changing the system date to a time when the certificate, which signed a certain driver, was still valid," Cipot explained. "Because the system date has been changed and has effectively gone back in time, that expired driver is now seen as being perfectly valid, accepted as such, and loaded like any other."
To mitigate this kind of time-travel hacking, Cipot recommends a combination of best-in-class endpoint protection, strict policy enforcement, and proactive monitoring. He also warns that organizations need to detect system configuration changes and block expired certificates.
Morphing Meerkat: A New Phishing-as-a-Service Operation
Another threat technology that's causing concern is Morphing Meerkat, a phishing-as-a-service operation that leverages DNS over HTTPS for detection evasion and DNS email exchange records to "identify victims' email providers and dynamically serve spoofed login pages."
Bleeping Computer has reported that Morphing Meerkat provides a complete toolkit for launching effective, scalable, and evasive phishing attacks. The attackers can use the DNS over HTTPS protocol to hide their true intent and encrypt DNS queries using the HTTPS protocol.
"By embedding DNS queries within the overall encrypted data traffic between a client and a server," explained Dirk Schrader, a vice-president of security research at Netwrix, "it prevents third parties from seeing what websites you are trying to access."
FBI Advice: Enable 2FA, Keep Systems Up to Date
The FBI has advised users to enable two-factor authentication (2FA) for all services where possible, particularly for webmail such as Gmail, Outlook, and virtual private networks. They also recommend employing long passwords on all accounts that require them.
Administators should refrain from imposing a requirement for frequent password changes, as these can do more harm than good. The FBI has also advised users to keep all operating systems up to date alongside software and firmware updates.
Ack Now: Act Today
"My advice?" said the author. "Listen to both the FBI and Boris, as they know what they are talking about. Don't wait for Medusa to strike – act today, or your systems could get attacked by hackers from 2012."