Neu Cyber Threats – 25th March 2021
A new phishing scam is on the rise, with high-level executives the target. Cyber criminals are trying to harvest their Microsoft 365 credentials, before using them to launch business email compromise (BEC) attacks. The attacks, which started last December, work around email security and Microsoft 365 defences in place – making them even more potent.
It seems the financial departments of companies are being targeted by cyber criminals masquerading as the executives, whose information they have stolen. This means that the attackers could potentially gain access to sensitive data of third parties through invoices and billing. Forged invoices from legitimate email addresses can be sent to suppliers, which result in payments being issued to attacker-owned accounts.
In one version of the campaign, targets receive a fake Office 365 security update, sent from domains with Microsoft-themed names to make them seem even more legitimate. Scammers also properly configured SPF records to evade any authentication protections.
This dangerous campaign is illustrated by a further version of the attack. This version involves taking over other accounts to send the phishing messages, with email addresses of known senders spoofed to evade detection. The goal of the phishing email is to dupe victims into clicking on the, ‘Apply Update’, button, disguised as a security update, which takes them to a spoofed Microsoft 365 login page.
After a target submits their password, the threat actors have full control of their email and any other Microsoft systems where the same password was used, researchers warned.
Neuways advise businesses to be wary of any legitimate-looking Microsoft emails. Any communications received that require the input of account credentials, such as passwords, should be treated with suspicion. Report any suspicious emails to your IT support desk, who will be able to confirm the legitimacy of the emails. By double checking, you could be saving your business from a devastating data breach.
Users of the popular WordPress website builder plug-in are advised to apply the latest Elementor update available as soon as possible (currently version 3.1.4), including users of both the free and pro version. There is a stored XSS vulnerability affecting Elementor which can be exploited to steal administrator credentials, which could lead to a site takeover and malicious code being implemented on the site.
An attacker must first have a Contributor role to the targeted WordPress website, it is recommended that all users of the Elementor plug-in urgently update to the latest version, as there are over seven MILLION WordPress sites that use this plug-in.
This recent vulnerability follows a set of stored Cross-Site Scripting (XSS) vulnerabilities in the Elementor plug-in in February 2021, which prompted an initial patch that addressed the issue. Additional fixes were added recently and the latest version contains patches for the vulnerabilities, along with fixes for other less severe bugs in the plug-in.
Due to the privileges required it is expected that the vulnerability will be used in targeted attacks rather than widespread attempts. A successful attack would give cyber criminals an opportunity to execute further privilege escalation. For WordPress sites with multiple contributors and admins, the attack potential is much wider. While millions of sites using the Elementor plug-in are still vulnerable, Wordfence reported that they are not currently seeing active exploits against these vulnerabilities.
We recommend the immediate updating of all WordPress websites within your business using the Elementor plug-in. Due to the widespread use of the Elementor plug-in, prompt action in getting all sites using Elementor updated to at least version 3.1.4 is recommended as in doing so, the risk associated with the flaws with be mitigated.
CopperStealer, a previously undocumented password and cookie stealer, has been compromising accounts of the likes of Facebook, Apple, Amazon and Google for the past couple of years have been using them for cyber criminal activity.
Accounts of advertisers and users of the four web giants have been compromised since July 2019. The malware acts similarly to the previously discovered, China-backed malware family SilentFade.
CopperStealer has an actively developed password and cookie stealer with a downloader function, which is capable of delivering additional malware after performing the initial theft. It’s not only similar to SilentFade, but other malware such as StressPaint, FacebookRobot and Scranos. It is thought that cyber criminals use accounts to run deceptive ads on some of the social media websites. These point those who see the adverts towards phishing pages.
Additional versions of CopperStealer seem to focus on other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.
CopperStealer has been offered on legitimate websites offering ways to evade licensing restrictions of legitimate software such as Microsoft 365. However, instead of providing users with the software free of charge they were instead downloading malicious executables capable of installing and downloading additional payloads. Researchers worked with some of the websites being taken advantage of by CopperStealer to intercept and gain a better understanding of the malware. As a result, the ability of cyber criminals to collect victim data has been restricted, while it has been discovered that CopperStealer is not very sophisticated and has basic capabilities.
It also appears that CopperStealer is targeting users around the world, and has no regard for what industry they are working in. Neuways advise employees to be careful when engaging with potential phishing emails. If your business has social media channels, it is worth using a Password Manager to help secure the account credentials for these pages. If CopperStealer were to gain access to your company’s Facebook page and start running spam adverts, your business will experience damage to its reputation from followers, which could include both customers and suppliers.