Full Report
Cybercriminals exploit government websites using open redirects and phishing tactics, bypassing secure email gateway protections
Analysis Summary
# Threat Actor: Unspecified Cybercriminal Actors Exploiting Government Domains
## Attribution & Identity
Attribution is limited to "Cybercriminals" and "malicious actors." The activity is tracked by Cofense Intelligence across multiple countries. No specific threat group name is provided in the context.
## Activity Summary
Threat actors have been exploiting vulnerabilities in government (.gov) websites across numerous countries to conduct **credential phishing campaigns** and leverage domains for **Command-and-Control (C2)** or redirection. This activity, observed between November 2022 and November 2024, exploits inherent user trust in government websites. A dominant tactic involved using legitimate domains for **open redirects** to lead victims to malicious sites, circumventing Secure Email Gateways (SEGs).
## Tactics, Techniques & Procedures
- **Open Redirect Exploitation:** Abusing `.gov` domains to redirect users to external, malicious sites without proper validation.
- **Credential Phishing:** Hosting phishing pages or redirecting victims to domains designed to harvest credentials.
- **C2 Hosting:** Using compromised government email addresses as C2 servers for malware.
- **Vulnerability Exploitation:** Heavy reliance on the Liferay digital platform vulnerability (CVE-2024-25608), evidenced by nearly 60% of abused domains containing "noSuchEntryRedirect" in their paths.
- **Social Engineering:** Phishing emails, particularly those using US government domains, mimicked Microsoft services, often requesting users to sign agreements.
## Targeting
- **Sectors:** Government organizations globally (Public Sector).
- **Geography:** Over 20 countries targeted. Top three countries by abuse volume: **Brazil (leading)**, **Colombia**, and the **US (third most targeted)**.
- **Victims:** Users interacting with the compromised government websites and email systems.
## Tools & Infrastructure
- **Malware Families Used:** Agent Tesla Keylogger, StormKitty (identified being served via compromised government email C2s).
- **Infrastructure:** Compromised `.gov` domains used for hosting phishing pages or acting as C2 servers.
## Implications
The exploitation of trusted government infrastructure highlights a significant method for bypassing established security controls like SEGs (Microsoft ATP, Proofpoint, etc.). The prevalence of the open redirect Liferay vulnerability (CVE-2024-25608) suggests that outdated or misconfigured public-facing government platforms remain a critical weak entry vector, forcing users to trust and click malicious links originating from official sources.
## Mitigations
- Implement stricter validation processes to prevent open redirects on web applications.
- Regularly update and patch software vulnerabilities, specifically addressing Liferay issues such as CVE-2024-25608.
- Increase user awareness and training to help users recognize and mitigate risks associated with sophisticated phishing campaigns originating from trusted domains.