Neu Cyber Threats – 11th February 2021
Ransomware attacks are bombarding manufacturing companies around the world. The attacks are causing significant downtime for the victims, resulting in a lag in production levels. One of the victims, WestRock – the second-largest packaging company in the U.S.A – is beginning to restore its systems, two full weeks after the ransomware attack on it was discovered on 23 January.
The company’s operational technology (OT) systems were affected, which resulted in several of the factory processes – including mill system production and packaging-converting operations – being brought to a halt. There is now a fear that the attacks have not only resulted in lost revenue due to the loss in production, but the reputation of the business, too. With these types of businesses too, the impact of such attacks can sometimes extend beyond financial and reputational, to include supply-chain issues or even physical danger for employees.
While it is not yet clear what the cause of the attack was, this latest hit on a manufacturing company should serve as a timely reminder to other businesses of the kind of damage ransomware attacks can inflict. At Neuways we would advise businesses to ensure employees are aware of the latest scams out there, so that should they be the recipient of a phishing email, they will know not to engage with it.
A fake version of WhatsApp is being used to snoop upon users and steal their sensitive data. The app, which can be downloaded from the Apple App Store for iPhone devices, appears to gather the device’s unique identifier (aka UDID, assigned by Apple) as well as its unique IMEI.
The SolarWinds hack continues to affect businesses around the world. Three serious vulnerabilities have been found in SolarWinds products: two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. Some of these could allow remote code execution with high privileges.
The Orion platform is the network management tool at the heart of the recent attack against several U.S. government agencies, tech companies and other high-profile targets. The platform allows users to manage devices, software and firmware versioning, applications and so on, giving full visibility into enterprise customer networks.
These fresh vulnerabilities were not used in the spy attack, but admins should apply patches as soon as possible to avoid any further issues. The most critical bug (CVE-2021-25274) does not require local access and allows complete control over SolarWinds Orion remotely without the user requiring any credentials. As part of the platform’s installation, a two decade old technology, Microsoft Messaging Queue (MSMQ) is used which is no longer installed by default on modern Windows systems – this could lead to any remote unprivileged user executing arbitrary code in the highest privilege.
The second bug (CVE-2021-25275) is also within the Orion platform. It allows unprivileged users to login locally or with a Remote Desktop Protocol (RDP) to obtain a cleartext password for the backend database for the Orion platform, called SolarWindsOrionDatabaseUser – which allows them to masquerade as an admin to steal information.
The problem is that SolarWinds credentials are stored in an insecure manner that could allow local users, despite privileges, to take complete control over the Orion database.
The third issue is a SolarWinds Serv-U FTP vulnerability (CVE-2021-25276), which is used for secure transfer and large file-sharing. The issue allows local privilege escalation so that attackers gain the ability to read, write to or delete any file on the system.
Neuways advises any SolarWinds users to apply available patches as soon as possible to avoid any further issues which may compromise your systems.
The LodaRAT malware, which has been seen to target Windows devices, have been discovered also bombarding Android devices in a new espionage campaign which spies on victims.
Alongside this, an updated version of LodaRAT for Windows has been identified. Previous versions of LodaRAT have contained credential-stealing capabilities that researchers speculated were used for draining victims’ bank accounts, while this newer version comes with a full repertoire of information-gathering commands.
LodaRAT was first discovered in 2016, and is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices. Multiple new versions of the malware have been created since, as it appears to be distributed by several groups of cyber criminals.
The most recent campaign involved emails sent to victims with links to malicious applications or documents. The Windows-targeting attack saw the cyber criminals take advantage of exploit CVE-2017-11882 (a remote code-execution vulnerability existing in Microsoft Office), which after opening malicious documents, allowed them to download LodaRAT.
The Android version of the malware collects location data and records audio, while also taking photos and screenshots when installed on a device. Not opening malicious documents and links within emails is important to avoid a cyber attack on your business. By looking out for the traits of social engineering, emotive messaging, grammatical errors and incorrect logos, you are more than likely preventing any damaging attacks taking place on your business.
Malicious Google Chrome extensions are being used by cyber criminals to exfiltrate data. The tactic takes advantage of Google’s cloud syncing function to redirect confidential credentials, such as account names and passwords.
Attackers have been found to directly plant malicious extensions on targets’ computers, rather than uploading them to the Chrome Web Store for victims to download them. This add-on is named, “Forcepoint Endpoint Chrome Extension for Windows,” with the attackers falsifying the security company’s logo to try and prove its legitimacy.
Once the cyber criminals have compromised a system, which is unclear at the moment, they place the extension locally in a folder and load it directly from Chrome on a compromised workstation. This takes advantage of a legitimate function in Chrome that can be accessed by going to by enabling Developer mode. This allows a user to load any extensions locally, directly from a folder.
The goal of the cyber criminals seem to be taking advantage of browser activity on the compromised device. This means activities such as an internal CRM, document management system or access rights management system can be affected by any loaded extensions.
User credentials have additionally been stolen from Chrome’s cloud syncing operation as a result. Company admins are being advised to ensure that their business’ Chrome extensions are being monitored, as this would allow them to prevent the cyber criminals having success with the tactic. Google allows admins to do that through policies that allow them to define exactly which extensions are approved and block everything else.
A new phishing campaign has managed to avoid Microsoft’s native security defences in an attempt to steal Microsoft 365 credentials – by using Google Firebase to bypass email security measures in Outlook.
Invoice-themed emails have been sent to at least 20,000 mailboxes that claim to give information about an electronic funds transfer (EFT) payment. The emails carry a fairly common subject line of, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contains a link to download an “invoice” from the cloud.
When a user clicks that link, a series of redirects begin that takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. The phishing page harvests any Microsoft log-in information, secondary email addresses and phone numbers the user decides to enter – giving them access to company accounts.
Cyber criminals can then use these compromised credentials to send emails in the victim’s name to trick customers, partners, acquaintances and family members into falling for the same scam. The file is hosted on Google Firebase, which is a development environment typically used for building custom web and mobile apps for internal business use.
In 2020, a series of phishing campaigns took advantage of Google Firebase storage URLs, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.
By using Multi-Factor Authentication (MFA) and password management systems, companies can avoid letting cyber criminals into their business. Additionally, by ensuring employees are engaging with Phishing Awareness Training, they’ll be able to identify common scam email practices.