Neu Cyber Threats – 21st January 2021
Business’ cloud services are being actively targeted by cyber criminals. Scammers are bypassing multi-factor authentication (MFA) and breaching systems across the world. Many of the hits have found success by chance, through taking advantage of business’ bad cloud cyber hygiene and misconfigurations.
Remote working for many employees is believed to be the root of the problem, with some victims found to be using a combination of corporate laptops and personal devices to access their company’s cloud services. In one case, an organisation didn’t require remote employees to use a virtual private network (VPN) in order to access their corporate network.
Email phishing has once again been a route in for cyber criminals to do their damage to businesses. Victims are sent emails featuring malicious links, which send users a ‘secure message’, while other emails pretend to be notifications for file hosting services. Both examples take targets to a phishing page, where they’re asked to provide their account credentials – opening up their business to the cyber criminals who harvest these details.
Attackers have been successful in bypassing MFA by utilising a “pass-the-cookie” attack. Browser cookies store a user’s authentication information and allow a website to keep them signed in. The authentication information is stored in a cookie after the MFA process is complete, so a user isn’t repeatedly prompted for further MFA checks. If attackers extract the correct browser cookies, they can appear as though they are the targeted user in a separate browser session and successfully evade all MFA checks. Through phishing emails and a successful compromise of a user’s system, the cyber criminal would be able to execute code on the machine – where a simple command would allow them to extract the cookie they desire.
Neuways encourages businesses to be aware of the weaknesses and potential hacking bypasses of MFA. By practising good Phishing Awareness as a business, employees can safeguard their employers with ease. It is always advisable to review your business’ cyber-security solutions on a regular basis, especially with changing circumstances, such as the COVID-19 pandemic and the effect it has had on workers, forcing many to remote work. If you’d like to discuss your cyber-security solutions with Neuways, please call us on 01283 753333 or email at firstname.lastname@example.org.
A recently discovered Mobile Remote Access Trojan (MRAT) known as Rogue has been discovered that can take control of infected Android devices and exfiltrate user data. The trojan is the work of cyber criminals who have been selling their malicious products on underground markets for years.
The criminals first shared a mobile RAT on the Dark Web in June 2017. This MRAT could carry out data exfiltration, as well as destroy local data, and erase the operating system (OS) of a device.
As Rogue manages to compromise a mobile device and accesses all of the necessary permissions, the MRAT hides its icon from the user, ensuring that it can’t be easily removed or detected. The malware persistently asks for permissions from the user until it is granted. This leads to Rogue registering as a device administrator and threatening to erase all data if the user attempts to revoke its admin permissions, by displaying the a message that reads: “Are you sure to wipe all the data?”.
Rogue uses Google’s Firebase platform, to masquerade as a legitimate Google service, duping victims even further. Firebase services serve as a command and control (C&C) server, meaning that all commands and data exfiltration are performed within Firebase’s infrastructure. Rogue takes advantage of the functions of Google’s Firebase platform, using ‘Cloud Messaging’ to receive commands, ‘Realtime Database’ to upload data, and ‘Cloud Firestore’ to upload files – effectively using the Google service to cause havoc for businesses who it has exploited.
Neuways’ advice is to be aware of any suspicious communications you receive. These are often the ways MRAT’s such as Rogue are spread and attack. As this specifically targets mobile devices, remember to apply the same cyber security procedures you usually would, when using your mobile devices.
Messaging app, Telegram has been the target of a scam-as-a-service hit by cyber criminals, with victims scammed of a huge £4.7 million to date.
The Classiscam has been sold to cyber criminal gangs and used throughout 2020. Classiscam uses Telegram bots to steal money and payment data from victims. Fully-fledged scam kits are being sold, equipping cyber criminals with Telegram chatbots that allow for automated communication with victims, as well as customised links that lead victims to phishing landing pages. These web pages are designed to trick recipients into thinking they are buying products – and as they are being fed the links by Telegram chatbots it seems legitimate.
Cyber criminals with access to the kits advertise on online marketplaces and classified websites, with high-value items at deliberately low prices. When a victim contacts the seller, they are asked to communicate through a third-party messenger app, usually WhatsApp or Telegram. If these communications occur via Telegram, the scam uses Telegram chat bots, which are accounts operated by software with artificial-intelligence features. The cyber criminals simply send a link with the fake product to the Telegram chatbot, which generates a complete phishing kit and sends to the victim.
The phishing kit includes a link to a fake courier website, or a scam website that looks just like a legitimate classified ad or marketplace with a payment form, which in reality is a scam page. A ‘support’ page offers fake support lines for victims to call once they are aware they have been scammed, but the tech support team is a cyber criminal!
If you’re a user of Telegram, please be wary when engaging with the application, and always double-check the validity of any link or action you’re encouraged to make while online – whether you have been encouraged to use the app by an advertisement or not.
Apple has removed a contentious macOS feature that allowed some Apple apps to bypass content filters, VPNs and third-party firewalls. We mentioned this in the Neu Cyber Threats update on 26th November 2020 and are delighted to see the feature has been eradicated.
The feature, used in a beta release of macOS Big Sur, was called ‘ContentFilterExclusionList’ and included a list of over 50 different Apple apps – including Maps, Music, FaceTime, the App Store and its software update service. It has been recently removed in macOS Big Sur versions 11.2, as the exclusion from content filters, VPNs and third-party firewalls were leaving Mac devices open to attacks from cyber criminals to give them access to people’s systems and expose their sensitive data.
Because these 50 apps bypassed these filters, the service could not monitor them to see how much data they were transferring or which IP addresses they were communicating with – and ultimately could not block them if something was amiss and cyber criminals were exploiting them. The change means that firewalls such as LuLu – an open-source firewall that blocks outgoing unknown connections on Macs – can now comprehensively filter and block network traffic for all Apple apps.