Neu Cyber Threats – 18th March 2021
Just as Emotet was halted, the gap in the market is being filled by plenty of other trojans and botnets, such as Trickbot malware, with an increase in cyber criminals using it to distribute malware attacks.
Emotet was the world’s most prolific and dangerous malware botnet before it was taken down by an international operation in January 2021.
While it can never truly be taken down, Emotet initially emerged as a banking trojan in 2014 before becoming the much larger threat it was, cyber criminals have taken a matter of weeks to quickly adapt and Trickbot is now the most prevalent form of malware.
The two types of malware share plenty of the same features, as they can be used to deliver additional malware onto devices that have been compromised. Since Trickbot was first seen in 2016, it has long been one of the most prolific forms of malware, due to its flexibility and track record of success in the past.
Businesses are advised to ensure they remain cyber safe and continue to be wary of any suspicious emails they may receive. Email security solutions can help, as they filter out a lot of the spam communications.
However, ensuring employees receive regular Phishing Awareness Training and are made aware of the common features of a phishing email are crucial to keeping a business safe. Phishing emails often have a mysterious link or attachment that the recipient is told to urgently click and open. This can then lead to some form of theft, whether it be through asking for login details, or the installation of malware that can exfiltrate data from a company’s network.
Google is speeding up a fix for a Chrome browser vulnerability that’s under active attack, the third zero-day flaw of the year so far for Chrome. If exploited the flaw could open up the browser to allow remote code-execution and denial-of-service attacks on systems.
The vulnerability is found within Blink, the browser engine for Chrome. The flaw (CVE-2021-21193) ranks high on the CVSS vulnerability-rating scale, making it high-severity. It’s a use-after-free vulnerability, relating to incorrect use of dynamic memory during a programme’s operation. After freeing memory from a location and if a programme does not clear the pointer to that memory, a cyber criminal can take advantage of the error to hack it.
- Go to chrome://settings/help by clicking Settings > About Chrome in the top-right hand corner of the screen.
- If an update is available Chrome will notify users and start the download.
- Users can relaunch the browser to complete the update.
A never-before-seen malware-dropper, Clast82, has been allowing cyber criminals to remotely steal data from Android phones. This is spreading via nine malicious apps on the Google Play store – with the AlienBot and MRAT malware installed onto victim’s devices.
The malware is part of a wider cyber crime campaign which attempts to steal victims’ financial information, which can lead to an eventual takeover of mobile phones.
Clast82 has been disguised in the applications with the malware not installed until the apps have been vetted by Google Play Protect the store’s evaluation process. Following the process, the order is sent via Google Firebase to activate an ‘enable’ function, which could lead to the AlienBot trojan or MRAT being triggered.
AlienBot comes available in the malware-as-a-service (MaaS) model, and allows a remote attacker to inject malicious code into legitimate financial applications. MRAT is primarily used for reconnaissance and information-gathering purposes, and can avoid antivirus detection and checks, app and file deletion functionality among its many uses. The attacker can obtain access to victims’ accounts, and control a device, by stealing account credentials and Multi-Factor Authentication (MFA) codes.
Google has confirmed that all apps affected by Clast82 have been removed from the Google Play Store. Those with the apps already installed do remain at risk, though and must uninstall as soon as possible. The affected apps include:
In news that will surprise nobody, the Dark Web is experiencing a boom. With an increase in ransomware attacks in 2020, cyber criminals are turning to the platform to not only sell account credentials and information they have successfully swiped, but also the malware they use to carry out the attacks.
The result is a large increase in the data being sold on the underground forums, but the price holding steady. It means criminals continue to make large sums of money from sales on the Dark Web. The news is bad for businesses as it can only inspire more would-be cyber criminals to try and earn a slice of the Dark Web money tree by carrying out cyber attacks.
Fake-ID and credit cards often sell for figures of several thousands, while Uber accounts and confidential company data continue to sell strongly, too.
Social-media credentials, though, have lost value over the last twelve months, thanks to the increase in MFA implementation, which sees cyber criminals using time-consuming social-engineering tactics instead. Physical counterfeit documents are very valuable, followed by document scans and even counterfeit money, which is popular on these Dark Web marketplaces.
It seems as though cyber criminals are experiencing an increase in ransom payments too – resulting in a double payday for many of the perpetrators.
Neuways advise business end users to remain vigilant when operating online. By practising strong password hygiene and being aware of malware-stuffed communications, employees will reduce the successfulness of these attacks. MFA is an important layer to any business’ cyber security defences, as it does make it substantially harder for cyber criminals to benefit from stealing these type of credentials.
Users should also understand the value of their personal and company data that they work with – if you are using the same password for multiple business accounts you hold, and one of these is breached by a cyber criminal, the resulting damage could prove to be financially rewarding for the criminal and lead to disruptive, costly downtime for the business.