Neu Cyber Threats – 12th August 2021
Ransomware attacks continue to increase around the world
Ransomware has seen a significant increase so far in 2021, with global attack volumes increasing by 151% for the first half of the year when compared with the same period last year, as warnings come from security organisations that there are now 100 different strains circulating around the world. This means that the number of known attempted ransomware attacks so far this year sits at around 304.7 MILLION, with a large chunk of the year still to go. To put that in perspective, 304.6 million ransomware attempts were logged for the entirety of 2020.
Researchers have claimed that the top three ransomware strains seen in the wild are: Ryuk, Cerber and SamSam. With 93.9 million recorded Ryuk incidents in the first half of 2021, the number of Ryuk attempts has tripled that which was seen in the first six months of 2020. Similar trends for Cerber and SamSam look to spell trouble for businesses, as cyber criminals are expanding their reach with the malware, making 2021 the worst year on record for ransomware attacks.
Europe and the UK, in particular are feeling the hit of ransomware the most, behind the USA. Europe felt the brunt of the spikes in volume, with a 234% spike in ransomware attacks in the first half of 2021, while the UK became the second-ranking country for ransomware volume, with attacks rising by 144%.
As a result, it is imperative that now, more than ever, businesses continue to invest in their cyber security defences, as much as they possibly can. Most ransomware attacks begin with a simple phishing email campaign. These campaigns are sent out to thousands of businesses on a daily basis, with the content often requiring the recipient to open a hyperlink or email attachment. Often the language of the email has poor grammar, and is also formatted badly, but cyber criminals often use company logos, such as Microsoft or Google, to appear legitimate. As soon as a user opens the hyperlink or email attachment, they could be exposing their company’s corporate network to hackers, as the ransomware attack begins, with malware silently infiltrating the company.
At this stage, the cyber criminals could be exfiltrating company data, holding businesses to ransom by restricting them from operating with success and even utilising the company’s contact list of customer and suppliers to spread their ransomware even further. Ransomware attacks can be costly and devastating to businesses, with the downtime caused running up thousands and thousands of pounds in lost business and trade, as well as the reputational damage that comes with them. It all means that companies have to invest in not only cyber security measures such as Business Continuity and Disaster Recovery plans, which will help them bounce back from ransomware attacks, but also Phishing Awareness Training. Comprehensive training from experts will help ensure your employees, the gatekeepers to your business, will be able to spot any phishing emails that manage to evade anti-spam filters that are in place.
Phishing campaign aiming for Sharepoint files
Cyber criminals are using spoofed sender addresses and Microsoft SharePoint lures in a new phishing campaign that can slip through the usual security protections to fool people into giving up their credentials. Researchers discovered the campaign targeting organisations that use Microsoft Office 365 by using the file-sharing aspect of SharePoint.
The campaign spoofs display sender addresses that contain the target usernames and domains, as well as display names that mimic legitimate services to try and slip through email filters. Attackers send emails that use a Sharepoint lure in the display name as well as the message.
The email suggests to the recipient that someone has requested access to a shared folder. The sender masquerades as a colleague and includes a link to a phishing page. To appear authentic, the file is said to contain some type of legitimate business content, such as staff reports. If a user takes the bait, they will be eventually directed to a phishing page that requires them to sign into Office 365 with their legitimate credentials.
The file-sharing capability of the SharePoint collaboration platform is a popular target for threat actors, especially as its use has increased during the pandemic, with many workers moving to working from home. When it comes to email spoofing you might think that if the received email came from a trusted entity you can rely on it to be safe but, unfortunately, any links existing in the email may end up infecting you with malware.
Despite the overall craftiness of this latest campaign, Microsoft have issued some of the signs to look out for, to spot the campaign. The original sender addresses, which use variations of the word “referral”, also use various top-level domains, including the domain com[.]com, which is popularly used by phishing campaigns for spoofing. Other clues to the malicious intent of the campaign are found in its use of URLs that lead potential victims to the phishing page for entering their credentials.
Attackers use two URLs with malformed HTTP headers. The primary phishing URL is a Google storage resource that directs users to a domain requiring the user to sign in, “before finally serving another Google User Content domain with an Office 365 phishing page.” The second URL used in the campaign is found within the notification settings. This one leads to a compromised SharePoint site “that the attackers use to add legitimacy to the attack,” according to Microsoft. Both URLs require potential victims to sign in to move on to the final page.
Neuways advises users to beware of the potential for phishing campaigns like this one. Any suspicious-looking emails your organisation receives must be reported to your MSP, who will be able to confirm their legitimacy.
Further Microsoft Exchange issues discovered
Researchers have discovered that threat actors exploited the notorious Microsoft Exchange ProxyLogon vulnerabilities long before they were publicly disclosed. The attacks were aiming to steal sensitive customer data, while maintaining a persistent network presence.
Multiple cyberespionage campaigns – collectively dubbed “DeadRinger” – have been tracked since 2017, with initial findings that Chinese threat group, SoftCell, were targeting billing servers to steal call records from telecommunication companies. Two new threat groups have been identified – Naikon APT and Group-3390 – that also appear to be working to compromise corporate networks.
It has been revealed that SoftCell targeted a set of Microsoft Exchange vulnerabilities collectively known as ‘ProxyLogon’, long before they became publicly known. These vulnerabilities spurred a frenzy of attacks earlier this year before Microsoft mitigations and patches began to take effect.
Indeed, threat actors used similar tactics to those exposed recently in the Hafnium zero-day attacks that exploited ProxyLogon vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. These recent attacks reveal plenty of ways that cyber criminals are looking to attack. Similarly to the SolarWinds and Kaseya attacks, threat actors are compromising third-party service providers to then attack their customers while undermining those trust relationships and causing other collateral damage.
As mentioned, while Microsoft have solved the Exchange flaws, it is concerning that the vulnerabilities were being exposed long before they were discovered. Users are reminded to update any software or services that they regularly use as soon as possible, to avoid known vulnerabilities becoming an issue as cyber criminals look to exploit them and cause companies real pain.
New Android trojan affects thousands
Researchers have uncovered a new Android trojan, dubbed FlyTrap, that has spread to more than 10,000 victims via malicious apps on third-party app stores, sideloaded apps and hijacked Facebook accounts.
FlyTrap has spread to at least 144 countries since March, via malicious apps distributed through Google Play store and third-party app marketplaces. The malware is part of a family of trojans that use social engineering tactics to take over Facebook accounts. The session-hijacking campaign was initially distributed via Google Play as well as third-party app stores, and thankfully, Google Play has recently removed the malicious apps.
They are, however, still being distributed on third-party, unsecured app stores, which highlights the risk of side-loaded applications to mobile endpoints and user data.
The nine malicious applications focus around free Netflix codes, Google AdWords vouchers, and voting for the best football team or player. They’re designed to entice and are built with high-quality graphics.
Researchers said: “Just like any user manipulation, the official-looking login screens are common tactics to have users take action that could reveal sensitive information. While the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent.”
Before the malware apps dish out the promised goodies, targeted users are told to log in with their Facebook accounts to cast their vote or collect the coupon code or credits. There are, of course, no free Netflix or AdWords coupons or codes, rather, the malicious apps are just after Facebook credentials. They make a last-stab attempt to look legitimate by presenting a message saying that the coupon or code expired, “after redemption and before spending.”
After a confused Android user hands over their Facebook credentials, the apps get busy consuming data that includes: Facebook ID, location, email address, IP address and cookies and tokens associated with the Facebook account. Then, the trojan uses victim’s accounts to spread its tentacles, making it look like the rightful owners are sharing legitimate posts with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details. These social engineering techniques are highly effective in the digitally connected world and are used often by cyber criminals to spread malware from one victim to another.
A similar campaign, was SilentFade: a malware campaign linked to threat actors that targeted Facebook’s ad platform for years and siphoned £2.8m from users’ advertising accounts, using the compromised accounts to promote malicious ads, steal browser cookies and more. More recently, a similar malware – a password- and cookie-stealer named CopperStealer – was found to have been compromising Amazon, Apple, Google and Facebook accounts since 2019, then using them for additional cyber criminal activity.
FlyTrap’s command-and-control (C2) server uses the stolen login credentials to authorise access to the harvested data. But it gets worse: zLabs found that the C2 server has a misconfiguration that could be exploited to expose the entire database of stolen session cookies to any internet user, further endangering the victims.
There’s nothing new about credential-stealing from mobile devices, mobile endpoints are often viewed as a treasure trove of unprotected login information to social media accounts, banking applications, enterprise tools and more. In fact, FlyTrap’s tools and techniques are so effective, don’t be surprised if some malicious actor picks it up and retrofits it.
Neuways advises users to do their research before blindly clicking open hyperlinks. This malware spreads mainly by promising vouchers and it is this social engineering aspect which is the most concerning and dangerous. We advise users to better understand social engineering attacks so they can be spotted earlier, and ultimately protect themselves and their business from being hacked. Where possible, it is also advisable for users to enable multi-factor authentication (MFA) for all social-media accounts and any other accounts with access to sensitive and private data. This will not stop this kind of cyber attack specifically, but it does add an additional security layer, such as geo-based alerts to the user’s profile.