Threat Research

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns

Securonix
Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns

This report by Cofense Intelligence discusses the abuse of legitimate .gov top-level domains by threat actors for phishing purposes from November 2022 to November 2024. Highlighting the vulnerability of these domains, particularly through open redirects and specific exploits like CVE-2024-25608, the article notes the prevalence of credential phishing campaigns, especially targeting U.S. government domains. Affected: .gov domains, U.S. government, other government sectors worldwide

Keypoints :

  • Legitimate .gov domains are increasingly abused for phishing campaigns by threat actors.
  • Open redirects have become a common method to bypass secure email gateways (SEGs).
  • Credential phishing content was predominantly hosted on a limited number of .gov domains.
  • A significant portion of .gov domains misused had “noSuchEntryRedirect” in the URL paths.
  • U.S. government domains are among the most abused, primarily for open redirects.
  • Phishing emails often mimic Microsoft branding and bypass major SEGs.
  • A total of 20 different countries’ government domains were identified as being abused.
  • Some compromised government emails were used as command and control (C2) for malware.

MITRE Techniques :

  • Open Redirect (T1071.001): Threat actors leverage open redirect vulnerabilities to redirect users to malicious sites using compromised .gov domains.
  • Exploitation of Vulnerability (CVE-2024-25608): Exploitation of Liferay vulnerabilities in government websites for phishing campaigns.
  • Credential Dumping (T1003): Hosting credential phishing content using the redirected links from compromised domains.

Indicator of Compromise :

  • [URL] hxxp://momentum[.]princegeorgescountymd[.]gov/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=hxxp://myvirtualcare[.]health[.]nsw[.]gov[.]au/auth/logout?continue=//mesin[.]ft[.]unib[.]ac[.]id/sign/
  • [URL] hxxps://ecity[.]springfieldmo[.]gov/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=hxxps://biola[.]edu//shinro[.]edu[.]vn/doc//
  • [URL] hxxps://www[.]dol[.]ks[.]gov/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=hxxp://gemolong[.]sragen[.]pramukajateng[.]or[.]id/doc/
  • [Email Address] ee[.]sylhet[@]dphe[.]gov[.]bd
  • [Email Address] schedule-iv[.]hta[@]kp[.]gov[.]pk

Full Story: https://cofense.com/blog/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint