Wildcard

ThreatActor Wildcard is a sophisticated entity known for its malicious activities, including phishing, malware distribution, and other cyber threats. The group employs innovative tactics such as using the /mo parameter to specify the last day of the month and the /m parameter with the wildcard character (*) to indicate that their program runs on the last day of every month. They also utilize evasive strategies like cloaking harmful content and exploiting wildcard DNS to prevent detection of their campaigns. A wildcard search on Threat Intelligence API revealed eight domains linked to this group, further emphasizing their extensive threat landscape. The group's operations have exposed several vulnerabilities in popular security configurations. One such vulnerability exists due to an input validation error caused by using the wildcard ("**") as a pattern in Spring Security configuration with the mvcRequestMatcher. This creates a mismatch in pattern matching between Spring Security and Spring MVC, potentially allowing unauthorized access. Similarly, another flaw was found in the LDAPLoginModule implementation in Apache ActiveMQ 5.x, which allows wildcard operators in usernames, enabling remote attackers to obtain credentials via brute force attacks. Despite the threats posed by Wildcard, there are mitigation strategies available. For instance, Wildcard SSL can authenticate websites and provide full encryption to all subdomains within a single domain, offering a cheaper option than encrypting the subdomains individually. In addition, the processing of wildcard records has changed between BIND 8 and BIND 9, potentially offering more robust protection against such attacks. However, it is crucial for organizations to remain vigilant and proactive in their cybersecurity efforts to counteract the evolving tactics of threat actors like Wildcard.