Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Microsoft Exchange has experienced a vulnerability that if exploited could lead to ransomware affecting businesses. Microsoft themselves have warned that cyber criminals are exploiting vulnerable Microsoft Exchange servers and installing a new ransomware called DearCry.

This is the latest threat to affect Exchange servers, as it emerged shortly after Microsoft was forced to issue emergency patches in early March for four Exchange flaws. These could be chained together to create a pre-authentication remote code execution (RCE) exploit – which allowed attackers to take over servers without having the required account credentials.

It is thought that these flaws have led to the new strain of ransomware being installed on unpatched servers. The immediate advice is to ensure these patches have been installed as soon as possible to avoid any incidents.

The four Microsoft Exchange vulnerabilities are known collectively as ProxyLogon and can be tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. After infecting the victim, the ransomware drops a ransom note called ‘readme.txt’ – which features two email addresses for the threat actors and demands a ransom payment of $16,000.

This isn’t the only ransomware to have affected Exchange users, as the four flaws are thought to have caused at least 10 different advanced persistent threat (APT) groups to try and disrupt Exchange servers around the world. The industries targeted include government, military, manufacturing and banking.

If you are concerned by the Microsoft Exchange vulnerability, we would recommend contacting your Managed Service Provider for more information and to find out if your business has been impacted by DearCry.

Just as Emotet was halted, the gap in the market is being filled by plenty of other trojans and botnets, such as Trickbot malware, with an increase in cyber criminals using it to distribute malware attacks.

Emotet was the world’s most prolific and dangerous malware botnet before it was taken down by an international operation in January 2021.

While it can never truly be taken down, Emotet initially emerged as a banking trojan in 2014 before becoming the much larger threat it was, cyber criminals have taken a matter of weeks to quickly adapt and Trickbot is now the most prevalent form of malware.

The two types of malware share plenty of the same features, as they can be used to deliver additional malware onto devices that have been compromised. Since Trickbot was first seen in 2016, it has long been one of the most prolific forms of malware, due to its flexibility and track record of success in the past.

Businesses are advised to ensure they remain cyber safe and continue to be wary of any suspicious emails they may receive. Email security solutions can help, as they filter out a lot of the spam communications.

However, ensuring employees receive regular Phishing Awareness Training and are made aware of the common features of a phishing email are crucial to keeping a business safe. Phishing emails often have a mysterious link or attachment that the recipient is told to urgently click and open. This can then lead to some form of theft, whether it be through asking for login details, or the installation of malware that can exfiltrate data from a company’s network.

Google

Google is speeding up a fix for a Chrome browser vulnerability that’s under active attack, the third zero-day flaw of the year so far for Chrome. If exploited the flaw could open up the browser to allow remote code-execution and denial-of-service attacks on systems.

The vulnerability is found within Blink, the browser engine for Chrome. The flaw (CVE-2021-21193) ranks high on the CVSS vulnerability-rating scale, making it high-severity. It’s a use-after-free vulnerability, relating to incorrect use of dynamic memory during a programme’s operation. After freeing memory from a location and if a programme does not clear the pointer to that memory, a cyber criminal can take advantage of the error to hack it.

The flaw could allow a remote attacker to execute arbitrary code on the system, which could lead to a cause of  denial-of-service condition on the system. Not much else is known about the vulnerability as Google do not wish to alert cyber criminals to any further weak spots in the browser, as they work around the clock to issue a fix.

In many cases, Chrome will update to the newest version automatically. If Chrome users want to be sure they have received the update, follow the instructions below:

  • Go to chrome://settings/help by clicking Settings > About Chrome in the top-right hand corner of the screen.
  • If an update is available Chrome will notify users and start the download.
  • Users can relaunch the browser to complete the update.

A never-before-seen malware-dropper, Clast82, has been allowing cyber criminals to remotely steal data from Android phones. This is spreading via nine malicious apps on the Google Play store – with the AlienBot and MRAT malware installed onto victim’s devices.

The malware is part of a wider cyber crime campaign which attempts to steal victims’ financial information, which can lead to an eventual takeover of mobile phones.

Clast82 has been disguised in the applications with the malware not installed until the apps have been vetted by Google Play Protect the store’s evaluation process. Following the process, the order is sent via Google Firebase to activate an ‘enable’ function, which could lead to the AlienBot trojan or MRAT being triggered.

AlienBot comes available in the malware-as-a-service (MaaS) model, and allows a remote attacker to inject malicious code into legitimate financial applications. MRAT is primarily used for reconnaissance and information-gathering purposes, and can avoid antivirus detection and checks, app and file deletion functionality among its many uses. The attacker can obtain access to victims’ accounts, and control a device, by stealing account credentials and Multi-Factor Authentication (MFA) codes.

Google has confirmed that all apps affected by Clast82 have been removed from the Google Play Store. Those with the apps already installed do remain at risk, though and must uninstall as soon as possible.  The affected apps include:

  • BeatPlayer
  • Cake VPN
  • Two versions of eVPN
  • Music Player
  • Pacific VPN
  • QR/Barcode Scanner MAX
  • QRecorder
  • tooltipnattorlibrary

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.