Neu Cyber Threats – 10th June 2021
Cyber criminals benefitting as businesses utilise cyber insurance
Ransomware victims are increasingly falling back on their cyber-insurance providers to pay the ransom when they’re hit with an extortion cyberattack. But this approach can quickly become problematic. In the first half of 2020, ransomware attacks accounted for 41% of the total number of filed cyber-insurance claims.
The research shows just how prevalent ransomware attacks still are to businesses in 2021, with attacks continuing to rise over the past two years, a situation exacerbated by the COVID-19 pandemic. Through claiming on their cyber-insurance, though, businesses are encouraging cyber criminals to continue their notorious work.
Many organisations have ransoms of over £300,000 due to using their cyber-insurance plans. Ransoms are usually paid by victims to regain access to their own systems or data, as criminals take control of them and encrypt their data. Depending on the business, this could render their operations completely useless, and cause much more monetary loss in downtime costs.
The use of cyber-insurance specifically to cover negotiations, and the ransoms themselves doesn’t sit well though. As we mentioned earlier, not only does making a ransomware payment also place an organisation in a potentially questionable legal situation, it is proving to the cyber criminals that you were worth targeting as you have funded their attack on you!
Neuways advises businesses of all shapes and sizes to have a robust and multi-layered Business Continuity & Disaster Recovery plan in place, to prevent the need to pay out ransoms and claim on your cyber-insurance policies. With regular backups taken consistently, businesses can negate the cost of a successful ransomware attack. Training and awareness are also key factors when taking preventative measures to avoid cyber attacks. Ensure your staff are aware of potential threats that are being circulated by cyber criminals. This will give them more of a chance to spot a phishing campaign deal with it appropriately rather than affecting a business in a negative way.
Cyber criminals targeting victims through Google Ads
Researchers have tracked down the origins of several increasingly prevalent information stealers that threat actors are delivering via pay-per-click (PPC) ads in Google’s search results.
Over the past month, researchers have found that paid ads that appear on the first page of search results have led to downloads of malicious AnyDesk, Dropbox and Telegram packages wrapped as ISO images. Just a week ago, rigged AnyDesk ads were found to be serving up a trojanised version of the programme.
This time around, the Google PPC ads targeted specific IP ranges – hinting that this is a targeted attack with victims that have been scouted out before being hit. Non-targeted IPs are redirected to legitimate pages that download the correct applications.
Google says it uses proprietary technology and malware detection tools to ‘regularly scan all creatives’, as well as forbidding ads when they try to call fourth parties or sub-syndication to uncertified advertisers. The tech giant also state that it pulls ads distributing malware, and that authorised buyers whose ads are found to contain malware are placed on a minimum three-month suspension.
Despite all of this, scam adverts consistently evade Google’s security checks and consistently pop up at the top of search results. Many of these attacks have succeeded because cyber criminals spend real money on Google AdWords, having figured out how to evade Google’s malvertising screening, with many setting up websites with signed, legitimate certificate – for around two weeks – which are designed to mislead website visitors.
Researchers describe the attacks starting with one of a dozen paid Google ads that lead to a website with an ISO image download – one that’s large enough to slip under the radar. It is fairly simple to take a legitimate program and pack it with malicious payloads, pay an ad hosting provider and post the content, which makes these types of attack particularly easy to carry out.
Neuways advises users to be wary of clicking on the first set of results, Google Ads, that you see, to avoid becoming the next victim of these types of scams.
WordPress plug-in experiences critical flaw
At the end of May 2021, a critical file upload vulnerability in Fancy Product Designer—a WordPress plugin installed on over 17,000 websites—was discovered to be under active exploitation by cyber criminals. The plugin, Fancy Product Designer enables WordPress customers to upload images and PDF files to be added to products. While the unpatched plugin had some checks in place to prevent malicious files from being uploaded, the checks turned out to be insufficient and could be easily bypassed. This, in turn, allowed threat actors to upload executable PHP files to any site with the unpatched plugin installed, as well as achieving Remote Code Execution on an affected site, allowing for full site takeover.
E-commerce websites appear to be most under threat from cyber criminals as they attempt to extract order information from website databases. This order information contains personally identifiable information (PII) of customers, which would contravene GDPR rules for any business with a website running a vulnerable version of the Fancy Product Designer plugin – if they were to be exploited. Any website that has the Fancy Product Designer plugin installed and hasn’t updated to the patched version 4.6.9—available as of June 2—is vulnerable.
Neuways urges WordPress users whose website carries the plugin to ensure they update to the patched version: 4.6.9 immediately. This critical zero-day vulnerability is under active attack and is exploitable in some configurations even if the plugin has been deactivated, so we recommend updating it to the latest version available rather than simply deactivating it.
Follow the following steps to get the latest version:
- Login to codecanyon.net.
- Once you are logged in, you should be able to visit the product page: https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393.
- In the ‘Overview’ sidebar on the right-hand side of the product page, you should see a ‘download’ link available to click.
- Once you have downloaded the updated version of the plugin, you should be able to login to your WordPress site and go to: Plugins->Add New->Upload Plugin to upload the updated plugin.
- If you are an e-commerce platform and believe you may have been targeted, you may also want to check for indicators of compromise, which typically appear as PHP files within a subfolder of wp-admin or wp-content/plugins/fancy-product-designer/inc and include the date the file was uploaded within the file name.
Return to the office leads to spear phishing ploys
With COVID-19 restrictions lifting and workers slowly making their way back to the office, cyber criminals are preparing their best spear phishing ploys. The latest scam includes bombarding recipients with emails pretending to be from key members of staff welcoming employees back into offices.
Some of the phishing emails outline a company’s COVID-safe guidelines, as well as attempting to steal both a company and an individual’s credentials. In several of the emails, the body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being falsely signed off by the CIO.
The phishing email prompts victims to click through to a fake Microsoft SharePoint page with two company-branded documents, both outlining new business operations. In this step the victim is not prompted to input any credentials – an intentional move to add further depth and credibility to the attack. However, if a victim decides to interact on either document, a login panel prompts the recipient to provide login credentials to access the files.
This is an uncommon trait among many Microsoft phishing pages, where the usual link opens an authenticator panel. By giving the files the appearance of being real and not re-directing to another login page, the user may be more likely to supply their credentials in order to view the updates. Another twist on the tactic serves up the message, “Your account or password is incorrect”, several times before taking the victim to an authentic Microsoft page, which makes them think they’ve successfully accessed the files.
As more and more businesses return to the office, on a flexible, hybrid basis, it is something to beware of. Cyber criminals have used the pandemic to their advantage to scam businesses out of money and access to their systems, and these incidents are no different, unfortunately. As with any kind of phishing email campaign, Neuways advises businesses to be wary of any unexpected communications that require an action from them. A PDF or hyperlink sent by a cyber criminal could lead to expensive downtime and an even pricier ransom.
Another week, another Apple security issue
New analysis has exposed just how widespread fraud is across the Apple App Store, while also offering a glimpse into the revenue generated by malicious activities carried out by cyber criminals. The App Store has been under pressure recently for maintaining its iron grip on the apps available to iOS users – which is said to be for security reasons.
However fresh data from The Washington Post suggests otherwise, showing that out of the top-1,000 grossing apps, 2% are scams. Notably, these apps have billed Apple customers over £33million while they’ve been available in the store, and Apple get a 30% cut of every transaction.
An array of scam apps covering everything from fake VPN service to fraud dating apps were found. Fleecewear apps, which charge exorbitant subscription fees after a free trial period, and fake reviews continue to drive up the ratings were also prevalent. This is particularly concerning, as if an employee downloaded one of the fraudulent apps onto a device that they also carry out work duties on, then one of the apps could eventually lead to a business network compromise if it goes unnoticed.
Interestingly, even though Google doesn’t rely on a security argument to control app access — although it does screen apps before they are published — analysis found 134 fleecewear apps on the App Sore and just 70 on the Play Store, earning over £250million and £27m respectively. This shows both marketplaces are clearly dealing with a wave of fraudulent applications that users need to be wary of when it comes to downloading new apps.
Apple has dealt with a series of security woes lately. The company’s Find My Device function was recently found to be vulnerable to data theft. And in March, Apple rushed out a fix for a memory-corruption bug. The same month, cybercriminals were targeting Apple developers with a trojanised Xcode project to install a backdoor for spying and data exfiltration.