Neu Cyber Threats – 19th August 2021
New tool introduced to increase spam detection
Malicious emails and cyber crime have cost organisations over £5 million in the last 13 months alone. Now, though, the National Cyber Security Centre (NCSC) are offering their support, through the option of a single-click button that allows anyone to report dodgy communications directly to them.
Phishing email campaigns are rampant nowadays. Unfortunately the cyber criminals operating the scams are not holding back, as the number of ransomware attacks so far in 2021 has exceeded the entire of 2020 already.
While the general public could already forward malicious emails to the NCSC’s Suspicious Email Reporting Service (SERS), it is hoped that by simplifying the reporting process to just one click of a button will encourage more widespread use among users.
Read more on the latest Neuways blog, here.
Q2 ransomware trends reveal a focus on video phishing lures
The second quarter saw a rise in entertainment-based fraud and phishing lures, including one campaign capitalising on the interest around the TV special, “Friends: The Reunion”. Researchers found fake sites purporting to host video for the much-anticipated special episode of the popular sitcom, although those who tried to watch or download the episode were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped and was replaced by a request to pay a nominal fee.
Variations of this type of scam cropped up in late April, too, timed around the Academy Awards, as Oscar-nominated movies were advertised with fake websites offering “free viewings”. However, after payment of the ‘subscription’ the screening did not resume, with the cyber criminals instead gaining a new bank account to take advantage of.
Q2 also saw the return of cloud phishing lures, researchers found, likely driven by the continuation of remote working throughout the COVID-19 pandemic. For instance, when targeting corporate accounts, scammers imitated mailings from popular cloud services. A spoofed notification about a Microsoft Teams meeting or a request to view an important document was found to take the victim to a phishing login page asking for corporate account credentials.
Some of the malicious schemes were aimed at stealing funds or installing malware, proving that cyber criminals were not just looking to take over user accounts, but make some quick money, too. Some were spoofed comments added to a document stored in the cloud. Another email threatened legal action, and asked the target to “review documents” about the issue. Clicking on the link, however, eventually led to the download of a backdoor loader.
Other lures in circulation included offers of financial pandemic assistance sent in the name of government agencies, notices of unexpected parcels requiring payment by the recipient, notifications about being the lucky winner of a tidy sum and romance-themed efforts.
Additionally, researchers found that after a prolonged decline, the share of spam in global mail traffic began to grow again, making up 47% of the volume.
Researchers said: “In Q2, as expected, cyber criminals continued to hunt for corporate account credentials and exploit the COVID-19 pandemic. As for Q3 forecasts, the share of cyber attacks on the corporate sector is likely to stay the same. This is because remote working is now well established among businesses. Also, the COVID-19 topic is unlikely to disappear from spam. If the current crop of vaccination and compensation scams weren’t enough, fraudsters could start utilising newly identified variants of the virus to add variety to their schemes.”
Neuways, as ever, advises businesses to ensure its employees are well aware of the latest scams. This very bulletin updates you each and every week on the ongoings in the cyber crime world – please share it among colleagues, to point out particular threats that could affect anyone within your business. Alternatively, to sign up to receive the email every Thursday in your inbox, click here.
Cyber criminals using “call centres” to spread ransomware
Unsuspecting users of Office 365 are being tricked by a cyber criminal gang into calling a fake call centre, with the eventual intention of installing ransomware onto their computers. Microsoft has warned that fraudulent emails are being sent out, which are attempting to trick users into calling a phone number operated by the cyber crime group.
Examples shared by Microsoft include emails that pose as coming from a photo editing service or recipe website. On some occasions the emails may not necessarily say that a trial is about to expire, but instead claim to be confirmation that a software license has been purchased. Various social engineering lures are used to encourage unsuspecting users to call, including claims that a subscription is expiring and an individual’s credit card will soon be automatically charged.
The important thing to recognise is that the emails do not have an attachment, and do not have a link for the user to click on, as is often typical with these types of phishing scams. Instead, they offer a phone number for recipients to call if they wish to make a query. Users who’ve been trained to be wary of unsolicited links and email attachments may believe that calling a phone number is safe – after all, what’s the worst that can happen?
However, this is the start of yet another scam. If you do call the number, you are indeed put through to a human-operated call centre for a website, but the organisation is a not a legitimate one, but the cyber criminals behind BazaCall. As researchers have warned, the call centre agent tells the caller to visit the account page of the website and download a macro-enabled Excel spreadsheet in order to cancel the subscription.
Microsoft also think that the call centre support agents may even talk the intended victim through ignoring warnings if any are displayed by their security software as the spreadsheet is downloaded, to ensure that malicious code will be accepted, downloaded and run. People are much more likely to do something dangerous to their computer’s health when told to by another human than by a computer it seems.
Once opened the Excel spreadsheet claims to be protected, and tells users to “Enable Content” in order to view its contents. This is a fairly typical social engineering trick often used by malicious hackers to trick users into circumventing security features built into Office products. The eventual aim is for the macro code hidden within the Excel spreadsheet to download the BazaLoader malware from the internet, and create an opening through which a malicious attacker can control the user’s PC and enter corporate networks.
Often the intention might be to steal information from the compromised PC, but the remote access cyber criminals can gain can also be used to activate ransomware. Microsoft’s experts say that the planting of ransomware has made BazaCall more dangerous than previously considered, and notes that it has seen attackers exfiltrating data or installing ransomware within 48 hours of initial contact with an unsuspecting user: “Apart from having backdoor capabilities, the BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control of an affected user’s device, which allows for a fast network compromise. In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise.”
Neuways advises users to be wary of not only emails urging you to click a hyperlink or download an attachment, but now emails that urge you to call a telephone number. Cyber criminals are clearly continuing to develop the methods they use to attack businesses, so it is important to ensure we are all on our toes when receiving any kind of communication.
Yet another Microsoft PrintSpooler flaw taken advantage of
Just one day after releasing its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the PrintNightmare umbrella.
The news comes amid plenty of PrintNightmare exploitation. Researchers warned that the operators of the Magniber ransomware quickly weaponised CVE-2021-34527 to attack users, with attacks dating back to July 13. And the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim’s network as part of a recent ransomware attack.
It’s likely that the Windows Print Spooler code has changed very little in the past few decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. The fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it’s rated as “important.” Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required. A remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations – an attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This would allow them to install programmes; view, change or delete data; or create new accounts with full user rights.
While Microsoft requires that printers installed via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors. So far, Microsoft hasn’t seen any attacks in the wild using the bug, but it noted that exploitation is “more likely.”
As mentioned, there’s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service. Neuways advises users of Print Spooler to keep tabs and ensure that any issued patch is downloaded and utilised with immediate effect to avoid any further fallout from this long-standing issue.