Human Risk Roundup: Email Bombs, Browser-Based Attacks, and Drone Firms

In this edition of the Human Risk Roundup, we dive into three high-profile recent newsworthy events – keep reading for more information.

Email bombs exploit lax authentication in Zendesk

Cybercriminals exploited lax authentication settings in Zendesk's customer service platform to flood inboxes with thousands of malicious emails, leveraging the accounts of legitimate Zendesk customers. This abuse highlights the risks of allowing anonymous ticket submissions without proper verification, which can tarnish brands and overwhelm targets.

What happened

Cybercriminals took advantage of Zendesk's configuration that allows anonymous users to submit support tickets, using it to send thousands of malicious emails. These emails, sent from legitimate Zendesk customer accounts like The Washington Post and NordVPN, overwhelmed inboxes with spam and harmful messages. The attackers exploited the lack of email address validation in Zendesk's ticket creation process, enabling them to use fake sender addresses. Despite Zendesk's rate-limiting measures, the attackers managed to send a high volume of emails in a short time. Zendesk acknowledged the issue, and recommended customers implement authenticated workflows to prevent abuse. However, the platform's current setup prioritizes convenience over security, leaving room for such attacks.

Why it matters

This incident underscores the critical importance of enforcing authentication and validation in customer-facing systems. Cybersecurity personnel must recognize that even trusted platforms like Zendesk can be weaponized if misconfigured. The attack demonstrates how lax security settings can harm both the targeted individuals and the brands whose accounts are exploited. It also highlights the need for proactive measures, such as rate-limiting and email validation, to mitigate abuse. For cybersecurity teams, this serves as a reminder to regularly audit third-party tools and ensure they align with security best practices. Ultimately, the event emphasizes the balance between usability and security, urging professionals to prioritize safeguards without compromising functionality.

Four practical tips for security leaders

1. Enforce Email Validation: Ensure all customer-facing systems validate email addresses before processing requests to prevent abuse.
2. Implement Authentication for Ticket Submissions: Require users to authenticate before submitting support tickets to reduce the risk of anonymous abuse.
3. Regularly Audit Third-Party Tools: Conduct periodic reviews of platforms like Zendesk to identify and address potential security gaps.
4. Educate Teams on Configuration Best Practices: Train staff to configure systems securely, balancing usability with robust security measures.

Read more about the attack.

Analyzing ClickFix: The browser-based technique behind infostealer breaches

Browser-based attacks, such as ClickFix and fake CAPTCHA schemes, which exploit user interactions with malicious scripts to deliver malware like infostealers and keyloggers are a growing threat. These attacks often lead to data theft, ransomware deployment, and double extortion, posing significant challenges for cybersecurity teams in detection and response.

What happened

These browser-based attacks are becoming a prevalent method for cybercriminals to breach security. They trick users into interacting with malicious scripts, enabling the delivery of malware like infostealers, keyloggers, and remote access software. Once inside, attackers steal session cookies and credentials to compromise business applications and services. The stolen data is often used for ransom, with ransomware sometimes deployed as a secondary extortion tactic.

Why it matters

Browser-based attacks represent a significant evolution in cyber threats, targeting user interactions to bypass traditional security measures. They exploit vulnerabilities in human behavior and browser security, making them difficult to detect and prevent. For cybersecurity personnel, this means adapting to a new threat landscape where traditional defenses may no longer suffice. The use of stolen session cookies and credentials to infiltrate business systems poses a direct risk to sensitive data and operational continuity. The double extortion model, combining data ransom with ransomware, amplifies the financial and reputational damage for victims. Understanding and mitigating these threats is crucial for maintaining robust cybersecurity defenses in an increasingly sophisticated attack environment.

Four practical tips for security leaders

1. Educate Users: Train employees to recognize and avoid interacting with suspicious browser prompts, such as fake CAPTCHAs or unexpected copy-paste actions.
2. Enhance Detection Tools: Invest in advanced detection systems capable of identifying malicious scripts and unusual browser behaviors.
3. Monitor Session Activity: Implement monitoring solutions to detect unauthorized use of session cookies and credentials.
4. Prepare for Double Extortion: Develop incident response plans that address both data ransom and ransomware scenarios to minimize impact.

Read more about these breaches.

North Korean hackers infiltrate drone development firms

North Korean hackers, likely from the Lazarus Group, have targeted European drone development firms in a cyberespionage campaign to steal proprietary UAV technology. The attacks, involving social engineering and malware like ScoringMathTea, aim to bolster North Korea's drone capabilities for military use.

What happened

The Lazarus Group has infiltrated several European companies involved in drone development and defense. These attacks, which began in March, targeted firms in Southeastern and Central Europe, including those producing UAVs used in the Ukraine conflict. The hackers employed social engineering tactics to deliver malware, such as ScoringMathTea, granting them full system control. Evidence suggests the campaign aimed to steal manufacturing know-how and proprietary drone technology. North Korea has prioritized advancing its UAV capabilities, as seen in its recent unveiling of drones resembling U.S. military models. The attacks highlight the regime's reliance on cyberespionage to accelerate its military advancements.

Why it matters

This campaign underscores the persistent threat posed by nation-state actors like North Korea, particularly in critical industries like defense and aerospace. The use of social engineering and malware highlights the need for robust employee training and endpoint security measures. The Lazarus Group's tactics, such as Operation Dream Job, exploit human vulnerabilities, making them difficult to detect and prevent. The theft of proprietary technology not only compromises the targeted companies but also has broader implications for global security and military balance. Cybersecurity personnel must stay vigilant against evolving threats, especially those leveraging sophisticated espionage techniques. This incident serves as a reminder of the critical role cybersecurity plays in protecting intellectual property and national security.

Four practical tips for security leaders

1. Enhance Employee Training: Educate staff on recognizing and avoiding social engineering tactics, such as fake job offers and phishing attempts.
2. Implement Endpoint Protection: Deploy advanced endpoint detection and response (EDR) tools to identify and mitigate malware like ScoringMathTea.
3. Monitor for Unusual Activity: Regularly audit network traffic and system logs for signs of unauthorized access or data exfiltration.
4. Strengthen Vendor and Partner Security: Ensure that third-party vendors and partners adhere to strict cybersecurity protocols to prevent supply chain vulnerabilities.

Read more about the campaign.