Prankster acquires Taliban Government domain amidst gov.af limbo
2nd September, 2021
The US and others may have withdrawn from Afghanistan, but many Afghan Government websites and email addresses under the .gov.af top-level domain are still very much dependent on services hosted outside of the country – mostly in the US.
By taking control of Afghanistan, the Taliban has inherited these government domains and now shares web hosting and mail servers with several other governments around the world, including the UK Government. In many cases, emails sent to .gov.af domains will be routed through US-hosted servers, presenting intelligence opportunities if the new Taliban government were to continue using them.
Afghanistan's Internet: who has control of what?
30th August, 2021
Bagram, formerly the site of the largest US military base in Afghanistan.
Over the past few weeks, the Taliban have taken control of substantially the whole of Afghanistan, with just Kabul Airport and the Panjshir Valley presently controlled by the US Military and the National Resistance Front of Afghanistan respectively.
Yet the situation with Afghanistan’s internet infrastructure is quite different to what anyone following the mainstream media might reasonably expect, as Afghanistan’s key internet resources – domains, IP addresses, routing and government communications – are controlled by a diverse set of entities subject to Western jurisdictions.
Who is in control of the .af domain?
Presently, .af’s DNS is run using Anycast DNS
services
from Packet Clearing House, a San Francisco based
not-for-profit organisation, and Gransy, a Czech
registrar and registry services provider. Packet Clearing House provides free
Anycast DNS services to
“developing-country ccTLD registries”, and Gransy provides free Anycast DNS
services to ccTLDs with fewer than
10,000 domains – .af has around 6K domains and is well within Gransy’s
criteria for a free service.
August 2021 Web Server Survey
25th August, 2021
In the August 2021 survey we received responses from 1,211,444,849 sites across 263,733,974 unique domains and 11,327,711 web-facing computers. This reflects a loss of 4.99 million sites, but a gain of 1.64 million domains and 67,600 computers.
The number of unique domains powered by the nginx web server grew by more than a million this month, while Apache's count fell by 916,000. This has extended nginx's lead in the domains metric, giving it a 29.8% share compared with Apache's 25.5%.
OpenResty gained 234,000 domains, but its market share remained static at 14.5%, while Cloudflare gained 726,000 domains and increased its market share to 7.72%.
The number of web-facing computers using nginx has continued to increase, this month by 49,000 (+1.18%). There are now 4.19 million web-facing computers running nginx, compared with 3.52 million that run Apache. Microsoft follows in third place with 1.38 million computers.
The web-facing computers metric has painted a remarkably stable trend over the past several years, as is evident in the graph below, with both Microsoft and Apache steadily falling while nginx has progressively climbed to first overtake Microsoft in 2017, and then Apache during 2020. There has also been a rise in "Other" web servers, which includes several nginx-based spinoffs such as OpenResty and Tengine.
Websites in Afghanistan
The Taliban offensive in Afghanistan has obvious potential to upset the country's internet infrastructure, but the extent of any changes may be limited. Afghanistan has had a relatively small presence on the web throughout the past 20 years, and many of its sites were already hosted outside of the country and used generic top-level domains to avoid interference from the Taliban.
This month's survey found only 8,031 websites hosted in Afghanistan, and 23,205 sites that use Afghanistan's .af country-code top-level domain (ccTLD). More than two-thirds of the latter are hosted in the US, and more than 2,000 are hosted in Germany – although any site that relies on a .af domain would still be vulnerable to interruption by the country's new government, should it desire.
Nearly 1,000 of the .af sites are Afghan Government websites that fall under the .gov.af second-level domain – such as president.gov.af and kabul.gov.af – but surprisingly, less than half of these are hosted in Afghanistan, with the rest being hosted in the US, Germany, Singapore, France, Canada, UK, Netherlands, Ireland and India.
Even more surprisingly, dozens of the .gov.af sites hosted in the US and Germany are used to host webmail services, potentially putting Afghan Government communications in easy reach of external intelligence agencies.
Other vendor and hosting news
- Microsoft has announced the general availability of Azure Government Top Secret. The new air-gapped Azure regions are intended to handle national security workloads at the US Top Secret level.
- Microsoft also announced its new Azure Healthcare APIs, which provide pipelines to manage protected health information data at scale.
- Statistics collected by Azure DDoS Protection showed a shift towards attacks against web applications in the first half of 2021.
- Apache Tomcat 10.0.10 was released on 5 August, followed by Tomcat 10.1.0-M4 (alpha) and Tomcat 9.0.52 on 6 August, and Tomcat 8.5.70 on 16 August. All four of these releases correct the regression of an HTTP/2 flow control bug in their previous versions.
- OpenResty 1.19.9.1 was released on 6 August. This version of the web platform based on nginx and LuaJIT now uses nginx 1.19.9 (a mainline release from 30 March) as its core, and also includes some LuaJIT fixes.
| Developer | July 2021 | Percent | August 2021 | Percent | Change |
|---|---|---|---|---|---|
| nginx | 444,524,631 | 36.54% | 441,930,791 | 36.48% | -0.06 |
| Apache | 311,567,368 | 25.61% | 305,180,858 | 25.19% | -0.42 |
| OpenResty | 75,464,874 | 6.20% | 75,516,218 | 6.23% | 0.03 |
| Cloudflare | 54,611,856 | 4.49% | 55,830,630 | 4.61% | 0.12 |
FluBot Android malware now targets UK banks
24th August, 2021
FluBot has built up a community of compromised Android phones in the UK since April and in the past 24 hours has commenced monetising them by sending overlays for British Banks.
FluBot first appeared in 2020, targeting mainly Spanish banks, but recently it has spread its reach, with Australian, German and Polish banks all affected within the last few weeks. UK banks are now firmly in its sights, with HSBC and Santander the first to be affected, and Lloyds and Halifax following shortly after.
Post Office is new prime target in UK parcel delivery phishing attacks
22nd August, 2021
The coronavirus pandemic resulted in the closure of many bricks and mortar retail stores, forcing UK consumers to adopt online shopping more than ever before. This trend has largely continued in spite of many stores since reopening, as millions of consumers have become accustomed to the practical benefits of online shopping.
Along with this increased volume of online shopping came a new trend of phishing attacks where cybercriminals impersonate parcel delivery companies in an attempt to steal financial details from their victims. Royal Mail and Hermes were popular targets for these types of attack, but most new attacks now impersonate the Post Office.
A typical text message used to lure victims to a phishing site that impersonates the Post Office.
These attacks are typically disseminated via text message, informing the victim that they have missed a delivery. Sometimes the messages say up front that the recipient must rebook the delivery by paying a small surcharge. The relatively small surcharge is often sufficient to trick victims into believing the phishing site is legitimate, or at least that any risk is minimal, allowing the phisher to obtain the victim’s details and potentially steal a much larger amount.
As most of the attacks are orchestrated via text message, the phishing sites are usually hosted with purpose-bought domain names that include the targeted company’s name in an attempt to be convincing. Some examples include:
- myhermes-youritem.com
- reschedule-postoffice.com
- royalmail-customer.com
- dpd.delivery.150227811923.com
Some messages instead use generic URL shorteners to take victims to the phishing sites, but this would not necessarily be viewed as suspicious by all recipients, as the use of URL shorteners is commonplace even in legitimate text messages.
Most of the phishing kits used in these attacks also attempt to evade detection by blocking unwanted clients such as bots and anti-phishing organisations, but Netcraft successfully circumvents these checks.
Navigating through a simple Hermes phishing site that is optimised for mobile devices. The victim is redirected to the real Hermes website after their details have been stolen.
After impersonating the delivery company, some of these phishing attacks proceed to also impersonate one of several UK banks. This gives the criminal an opportunity to steal additional credentials that are specific to each bank, such as online banking security codes and other tokens that would likely be used to gain unauthorised access to the victim’s bank account.
Some attacks - particularly those that do not use the phishing site to directly impersonate the victim’s bank - are followed up by a phone call from the cybercriminal, who will use the information stolen by the phishing site to convince the victim that it is a genuine call from their bank regarding the payment they just made. This provides a more interactive opportunity for the criminal to obtain the information required to gain access to the victim’s bank account, including time-sensitive OTP codes.
Resurgent FluBot malware targets German and Polish banks
17th August, 2021
Netcraft’s research into the Android banking malware FluBot confirms that its operations are expanding rapidly, with a spike in the number of malware distribution pages deployed, and finance applications affected in greater numbers.
In recent days new overlays have been distributed that target a number of Polish and German banks, only days after news that FluBot has begun to target Australian banks.
FluBot is distributed in the first instance using text messages, containing links to so-called “lure” pages: web pages unintentionally hosted by compromised web servers, commonly impersonating parcel tracking services, or voicemail notifications. Lure pages attempt to induce visitors to download the malware.
Text messages impersonating delivery companies, directing victims to FluBot lure sites