Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Microsoft issues updates for Exchange software

Microsoft has released security updates for its Exchange on-premises email server software. The security updates are for flaws within Exchange Server 2013, 2016, and 2019 – all of the on-premises versions of Exchange that were compromised earlier this year by the cyber crime group Hafnium.

Four vulnerabilities in on-premises Exchange server software were exploited, and Microsoft has warned that a further newly-patched flaw – tracking as CVE-2021-42321 – is also under attack.

Microsoft said: “The Exchange bug CVE-2021-42321 is a “post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment. These vulnerabilities affect on-premises Microsoft Exchange Servers, including those used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.”

Attacks that affect users after authentication are risky because they affect users who have authenticated with legitimate, but stolen credentials. Some post-authentication attacks render two-factor authentication useless since the malware does its trick after a person has authenticated with a second factor.

In this instance, the attackers accessed Exchange Servers through four bugs or stolen credentials, which allowed them to create web shells — a command-line interface — to remotely communicate with an infected computer. Web shells are handy for attackers because they can survive on a system after a patch and are required to be manually removed.

Attackers generally go after administrative credentials to run malware, but they also use connections that aren’t protected by a VPN. Alternatively, they attack VPNs themselves. Microsoft provides detailed update instructions that Exchange admins should follow, including updating the relevant cumulative updates (CU) for Exchange Server 2013, 2016, and 2019.

Microsoft has warned that admins should update to one of the supported CUs: it won’t be providing updates to unsupported CUs, which won’t be able to install November’s security updates. Microsoft confirmed that multi-factor authentication (MFA) won’t necessarily protect against attackers exploiting the new Exchange flaws, particularly if an account has already been compromised.

“If authorisation is successful (MFA or not) then CVE-2021-42321 could be exploitable. But indeed, MFA can make authentication be harder to get through so it can help. But let’s say if there is an account with MFA that has been compromised – in that case it would make no difference.” Microsoft added.

To detect compromises, Microsoft recommends running the PowerShell query on your Exchange server to check for specific events in the Event Log:

Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

Contact your Managed Service Provider, if you are unsure whether or not your business will be affected.

Office 365 attacks bombard users

A surge in spear phishing emails designed to steal Office 365 credentials included many emails that were designed to trick users into thinking they came from major brands. According to researchers, two phishing kits are being used by multiple threat actors to send fake fax notifications.

“The phishing e-mails are usually arriving in the form of ‘fax notifications’, luring users to fake websites in order to collect credentials for Microsoft’s online services,” said researchers. One phishing campaign tracked by researchers appears to abuse an Amazon service called Amazon Simple Email Service (SES), which was designed to allow developers to send email messages from apps. The campaign, identified by Kaspersky researchers, relied on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth.

The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the 2050.earth site is hosted on the Amazon infrastructure.

“These emails have various sender addresses, including noreply@sm.kaspersky.com. They are sent from multiple websites including Amazon Web Services infrastructure,” Kaspersky said the stolen SES token was abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.

The company said the SES token was immediately revoked when it was identified as being stolen and abused, while the theft caused no damage. As we know, phishing is a common way for cyber criminals to dupe people through socially engineered emails into giving up credentials to their online accounts that can store sensitive data. Phishers use these emails to direct people to specially crafted phishing sites so they entered their credentials, all while thinking they’re doing so for a legitimate reason.

Office 365 credentials are a common target for phishing attacks. In March, for example, a phishing scam targeted executives in the insurance and financial services industries with the aim of harvesting their Microsoft 365 credentials and launching business email compromise (BEC) attacks. Cyber criminals abusing the Amazon SES token are giving their “fax notifications” a legitimate look by allowing them to identify the sender as “sm.kaspersky.com”.

With phishing campaigns such as this one so commonplace now, it is critical that businesses stay wise to the communications they receive. By investing in Phishing Awareness Training, you can help your employees learn how to spot and successfully evade phishing campaigns, before the irreversible damage has been done. The training Neuways provides employees with real-life phishing examples, along with the telling signs of a phishing email – it gives staff more of a chance of avoiding the many thousands of campaigns that are issued on a daily basis.

Contact Neuways to explore the possibility of Phishing Awareness Training, by emailing hello@neuways.com.

Record number of cyber incidents in UK during 2020

The number of cyber incidents dealt with by the UK’s National Cyber Security Centre (NCSC) has hit a record of 777 for the last year. While 20% of these attacks focussed on healthcare and targeting hospitals and other organisations, many of the incidents saw businesses of all shapes and sizes across a variety of industries earmarked by cyber criminals.

However, there could be a simple solution for affected businesses: cyber resilience. Learn more about this situation by reading our cyber resilience blog.

Phishing email scam

Scammers targeting users with vaccination lures

With the COVID-19 pandemic currently focusing on providing populations with vaccinations, cyber criminals are taking the opportunity to steal personal information – with over a FIFTH of UK residents being targeted.

Initially, it was PPE scams, then around the vaccine itself, whereas now the vast majority of scams are using the requirement to prove vaccination status to create a sense of urgency to get potential victims to act. New findings made by researchers claim that 22% of U.K. residents have received an email claiming to be the National Health Service (NHS) informing the recipient they must click a link to request and download their COVID-19 vaccination passport or certificate. An example can be seen below.

body-copy

The scam really comes into play when they are asked to prove who they are by providing personal details, banking information, and even a credit card. Using a realistic-looking website, scammers are able to swipe all of the victim’s data, which could then be used for their own financial benefit, or to commit further scams and fraudulent activity.

This is a variation of copycat attacks that are happening all around the world, with 35% of U.S. residents having received a similarly-themed email this year. The details provided by victims gives cyber criminals the information they need to potentially carry out attacks on the employers of the victims, too.

Social engineering could be carried out to send further phishing campaigns to the contacts of the initial victim, continuing the impact of that initial successful attack. This could lead to other user endpoints becoming infected, and acting as launch points for ransomware, BEC and data theft attacks.

This is just one in a long list of timely phishing attacks that are designed to play upon the recipient’s emotions. People want to stay socially active in the current climate, and by scamming the public into thinking they are signing up for an “official” NHS Digital Passport, to enable them to travel or engage in social activities, users are instead unwillingly signing themselves up for financial pain.

As we have mentioned, Phishing Awareness Training can benefit users to avoid certain attacks. Common criteria of a phishing email can be anything from poorly written emails to stretched images and even bogus email addresses. But, most importantly, if an email is encouraging you to engage, and click on a hyperlink or document, and you are not 100% certain of its origins, then more than likely it is a scam.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.