Neu Cyber Threats – 14th January 2021
Email security provider Mimecast has seen some of its connections hacked, allowing cyber criminals to spy on users. A Mimecast-issued certificate, used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services, has been compromised by a sophisticated threat actor.
The compromised email security service allows customers to apply a link to their Microsoft 365 account by establishing a connection to Mimecast’s servers. The certificate is used to verify and authenticate these connections made to three areas. Mimecast’s Sync and Recover manages backups for calendars, inbox folders, and contacts from Microsoft 365 mailboxes. Secondly, Continuity Monitor, which looks for any interruptions in email traffic, and finally Internal Email Protect (IEP), which focuses on inspecting internal emails for malicious attachments, links or content.
The compromise means that cyber criminals could take over the connection, and in turn, read inbound and outbound email communications as well as the potential to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information.
If you hold an account with Mimecast and are worried about being compromised, please contact your Managed Service Provider for more information.
Users of Chrome, Firefox and Edge browsers have been urged to patch critical vulnerabilities, which hackers are exploiting to take over user systems. The Mozilla Firefox vulnerability (CVE-2020-16044) is different to a bug in Google’s browser engine Chromium, used in both Google Chrome and Microsoft’s latest version of its Edge browser.
The Firefox vulnerability is classified as a use-after-free (UAF) bug and linked to the way the browser handles its cookies. If exploited, hackers can gain access to the computer, phone or tablet running the browser. Firefox browser versions impacted are those released prior to the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition and also Mozilla’s corporate ESR 78.6.1 version of Firefox.
A use-after-free vulnerability relates to incorrect use of dynamic memory during a programme’s operation. If, after freeing a memory location, a programme does not clear the pointer to the memory, an attacker can utilise the error to hack the software.
Windows, macOS and Linux users of Google’s Chrome browser must also patch an out-of-bounds write bug (CVE-2020-15995) impacting the current (87.0.4280.141) version of the software. Microsoft also urged its users to update the latest 87.0.664.75 version of its Edge browser. Both Google and Microsoft have classified the vulnerability as severe.
If you are using any of the browsers affected, it’s important that automatic updates are set. That way, as soon as a fix is issued by Google, Mozilla or Microsoft for their respective browsers, your version will be the most up-to-date and less likely to expose your system to an attack from a cyber criminal who is aware of the current vulnerabilities the browsers have.
There are now over 150 businesses worldwide that have encountered disruption from the Egregor ransomware strain. The ransomware has caught the attention of the FBI, with the agency reporting further damage caused by Egregor, as it continues to hit businesses in a variety of different industries across the private sector.
A PDF has been issued to shed new light on the malware, as well as identifying key signs of it. It has been confirmed that Egregor is made up of a large amount of actors.
Egregor compromises networks in lots of different ways, including targeting employee’s personal accounts that share access with business networks or devices. This is particularly prominent since many workforces have shifted to working from home due to the COVID-19 pandemic. It primarily spreads via phishing emails with malicious attachments, or exploits that allow for takeovers through remote desktop protocol (RDP).
Once access is gained, threat actors can move laterally inside networks, by escalating their network privileges. Egregor also exhibits typical ransomware activity, such as exfiltrating and encrypting files on the network, as well as leaving ransom notes on machines to instruct victims to communicate with hackers via an online chat. It should be noted, though, that paying the ransom does not guarantee a victim’s files will be recovered.
Neuways continues to urge businesses to ensure their Business Continuity and Disaster Recovery plans are up-to-date, to ensure that if you are the recipient of a ransomware attack, that you’re able to get back on your feet with as little costly downtime as possible. By making regular backups of your business’ systems and holding secure backups off-site, you’re setting yourself up for a successful recovery from any kind of ransomware attack.
Babuk Locker is yet another brand-new form of ransomware that is causing issues for businesses across the world. This particular form of ransomware encrypts user data and exploits a business’ operations. It is Babuk Locker’s encryption mechanisms and its ability to take over Windows Restart Manager which sets it apart from its counterparts.
One of the companies who’ve been hit by the ransomware has been forced to pay a £62,000 ransom. The ransomware is delivered through a 32-bit .EXE file, although it is not yet clear how the ransomware is spread to victims. Typically, ransomware is spread via email phishing techniques, which usually require an input from the recipient, whether that be to click a link, download an attachment or input personal data.
Babuk attempts to delete shadow copies before and after it encrypts a business’ files. Shadow copies are held in Microsoft Windows, and are often used to create backup copies of a range of files. This is where Babuk interferes with Microsoft’s Windows Restart Manager feature. When used legitimately, the feature enables users to shut down and restart all applications and services with ease. The ransomware uses this feature to terminate any process that is using files, which ensures that nothing will prevent the malware from opening and encrypting whatever files it chooses.
Once a system’s files have been encrypted, the Babuk ransom note tells victims their computers and servers are encrypted, and demands the victim contact them using a Tor browser to arrange for payment to be made. While it is not certain how Babuk is spread, please ensure your colleagues are aware of phishing emails. Employees are often one of the initial gatekeepers cyber criminals have to deal with. While scams are getting more complex, a business should ensure it’s employees are receiving regular phishing awareness training, as this will, over time, help keep critical files and systems safe.
A brand-new tool has been made readily available for FREE to enable victims of the DarkSide ransomware strain to recover their encrypted files from cyber criminals – all without having to pay the usual ransom fee. While cyber criminals claim to have made millions of pounds from infecting user’s systems with ransomware, the news provides hope that those who have been affected could repair some of the damage caused.
DarkSide acts as ransomware-as-a-service (RaaS) and was initially discovered on cybercrime forums in August 2020. Operators have been making money through two main tactics. Once a system is compromised, important files are encrypted, so that the victim cannot utilise them. Additionally, these same victims have valuable information stolen from them – putting pressure on them to pay a ransom.
Victims are regularly instructed to pay hundreds of thousands and even millions of pounds to recover their files and prevent data leaks. The tool on offer from Bitdefender scans a victim’s system for encrypted files and decrypts them for the user. It has to be executed on local systems where the encrypted files are stored. Users are advised to create backups, before beginning the process.