Cybersecurity trends that marked August 2023
In our August 2023 report, we take a closer look at the cybersecurity trends that marked August 2023 including ongoing efforts to exploit Ivanti vulnerabilities in the USA and Germany and exploitation of .us domains for phishing scams.
Phishing and Malware trends and statistics
Newly registered domains | Confirmed new phishing domains | New potential similar domains | Malware domains |
1.3m | 1131 | 7436 | 6.4k |
During the month of August, FYEO discovered a total of 1.3 (Million) newly registered top level domains of which 7436 were considered similar domains that are likely squatting domains (e.g when someone registers a domain name that is similar to a well-known brand or organization with the intention of using it for malicious purposes such as phishing attacks).
A further 1131 domains out of the newly registered domain were identified as actively serving fake websites and content related to phishing and 6.4K (Thousand) were identified as serving malware related files and content.
Data leaks and credentials statistics
Reported leaked credentials | Reported leak sources | FYEO indexed sources | FYEO indexed credentials |
11.2m | 25 | 13 | 99.3m |
August also saw 25 security incidents that resulted in the compromise of more than 11.2M (Million) records. Forever 21 disclosed a three-month data breach compromising data from 539,207 individuals, including names, birthdates, Social Security numbers, and bank account numbers. Health plan details of employees were also accessed. The company has not provided specific details about the incident or preventive measures taken.
During the month, FYEO indexed and gathered a total of 99.3 (Million) leaked credentials from a total of 13 sources that were gathered through open sources and public releases.
In regards to FYEO’s collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
Cyble detects ongoing efforts to exploit Ivanti vulnerabilities in the USA and Germany.
In July 2023, Norwegian security agencies discovered that 12 government agencies had been targeted by cyber attackers exploiting vulnerabilities in the software of one of their suppliers. The attackers used a vulnerability known as CVE-2023-35078 to breach security. Ivanti, the software vendor, quickly released a patch to fix this vulnerability, but on July 28, 2023, another patch was issued for a path traversal vulnerability known as CVE-2023-35081. The vendor noted that these vulnerabilities could be exploited together, making Ivanti products even more vulnerable.
The Cybersecurity and Infrastructure Security Agency (CISA) reported that Advanced Persistent Threat (APT) actors had been exploiting CVE-2023-35078 since at least April 2023, using compromised small office/home office routers to target infrastructure.
Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of Ivanti EPMM (CVE-2023-35078) and Ivanti Sentry (CVE-2023-38035) on August 25, 2023. Attackers attempted to fetch sensitive information from Ivanti EPMM while interacting with Ivanti Sentry, and these attacks were primarily targeting assets in the United States and Germany.
The high exposure of Ivanti assets in these countries coincided with the observed attacks, leading to concerns about an increase in cyberattacks on Ivanti's vulnerable assets in the United States and Germany. Over 2,000 internet users were exposed to Ivanti EPMM, primarily in the United States and Germany, and over 1,500 internet-exposed Ivanti Sentry instances were detected globally.
State and private organizations are still vulnerable to these specific vulnerabilities, as indicated by the Cybersecurity Research and Intelligence Lab (CRIL).
In conclusion, threat actors are increasingly exploiting vulnerabilities in internet-exposed assets, such as Ivanti EPMM and Ivanti Sentry, for various malicious purposes, including data theft, ransomware attacks, and web shell installations. These vulnerabilities pose a significant risk to organizations, and it is crucial to apply patches promptly and enhance cybersecurity measures to mitigate these threats.
".US Domain: A Breeding Ground for Phishing Scams"
The ".US" domain, which represents the United States on the internet, is a hotspot for phishing scams, according to recent research. This is concerning because the U.S. government oversees this domain, and it's often targeted by phishing attacks. The ".US" domain is supposed to be available only to U.S. citizens or entities with a physical presence in the United States.
The study conducted by The Interisle Consulting Group analyzed six million phishing reports between May 2022 and April 2023, revealing 30,000 phishing domains under ".US." This domain is managed by GoDaddy, the world's largest domain registrar, under the oversight of the National Telecommunications and Information Administration (NTIA), a U.S. government agency.
Despite regulations requiring verification of U.S. residency or connection for ".US" domain registrants, the study found that the current vetting process isn't effective. In contrast, other countries with similar restrictions on their country code top-level domains (ccTLDs) have much lower levels of abuse and phishing.
The issue with ".US" domains has persisted for years, with previous research in 2018 already highlighting problems with spam, botnets, and harmful content. GoDaddy states that registrants must certify their compliance with NTIA's requirements, but it appears to be a simple checkbox without robust verification.
The study also discovered that attackers used ".US" domains to target prominent U.S. companies and even government entities, raising concerns about national security. Additionally, the NTIA has proposed redacting registrant data from public records, potentially further complicating efforts to identify and verify domain registrants.
In summary, the ".US" domain is a prime target for phishing scams, despite regulations meant to restrict it to U.S. citizens and entities. The current verification process is ineffective, and the issue has persisted for years. The U.S. government's oversight and the potential for redacting registrant data raise concerns about online security and identity verification in this domain.