Remote Support Customer Portal Contact us

Blog Post

Neu Cyber Threats – 25th March 2021

Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Collaborative working for Pandemic PreparednessMicrosoft SharePoint and Teams users have experienced some missing files following a recent Azure Active Directory outage. The incident left many users unable to use a number of Microsoft services, such as Microsoft 365, Exchange Online, Outlook.com and SharePoint on 15th March 2021.

Since then, hundreds of files have been found deleted from SharePoint in business’ Recycle Bins, all mysteriously having been deleted at once. The SharePoint folder structures appear to be intact, but do not have any of the expected files. In one instance, the deletion was assigned to an employee at a business, who claimed she had no idea of the files being deleted – and the person supposedly deleted hundreds of files in different folders all at once.

It has left businesses without their files and information for some time, as manual restores are having to be carried out rather than the file syncs that would normally restore deleted information. The related Teams issues are not allowing users to correctly view their files as they should be able to do – instead telling users they do not have access to do so.

It currently is not clear what the issues with the Microsoft apps are, but users are advised to review their security procedures. Multi-factor authentication (MFA) adds an extra layer of security to business’ cyber security policies, allowing the user access to information only after they have proven the validity of their login attempt.

For more information, read Neuways’ latest blog post, here.

A new phishing scam is on the rise, with high-level executives the target. Cyber criminals are trying to harvest their Microsoft 365 credentials, before using them to launch business email compromise (BEC) attacks. The attacks, which started last December, work around email security and Microsoft 365 defences in place – making them even more potent.

It seems the financial departments of companies are being targeted by cyber criminals masquerading as the executives, whose information they have stolen. This means that the attackers could potentially gain access to sensitive data of third parties through invoices and billing. Forged invoices from legitimate email addresses can be sent to suppliers, which result in payments being issued to attacker-owned accounts.

In one version of the campaign, targets receive a fake Office 365 security update, sent from domains with Microsoft-themed names to make them seem even more legitimate. Scammers also properly configured SPF records to evade any authentication protections.

This dangerous campaign is illustrated by a further version of the attack. This version involves taking over other accounts to send the phishing messages, with email addresses of known senders spoofed to evade detection. The goal of the phishing email is to dupe victims into clicking on the, ‘Apply Update’, button, disguised as a security update, which takes them to a spoofed Microsoft 365 login page.

After a target submits their password, the threat actors have full control of their email and any other Microsoft systems where the same password was used, researchers warned.

Neuways advise businesses to be wary of any legitimate-looking Microsoft emails. Any communications received that require the input of account credentials, such as passwords, should be treated with suspicion. Report any suspicious emails to your IT support desk, who will be able to confirm the legitimacy of the emails. By double checking, you could be saving your business from a devastating data breach.

Users of the popular WordPress website builder plug-in are advised to apply the latest Elementor update available as soon as possible (currently version 3.1.4), including users of both the free and pro version. There is a stored XSS vulnerability affecting Elementor which can be exploited to steal administrator credentials, which could lead to a site takeover and malicious code being implemented on the site.

An attacker must first have a Contributor role to the targeted WordPress website, it is recommended that all users of the Elementor plug-in urgently update to the latest version, as there are over seven MILLION WordPress sites that use this plug-in.

Any user able to access the Elementor editor with at least a Contributor role would be able to add JavaScript to posts on the website. JavaScript could be executed as soon as the post is viewed, edited or previewed by anyone with editing permissions and could be used to take over a site if the victim has the role of Administrator.

This recent vulnerability follows a set of stored Cross-Site Scripting (XSS) vulnerabilities in the Elementor plug-in in February 2021, which prompted an initial patch that addressed the issue. Additional fixes were added recently and the latest version contains patches for the vulnerabilities, along with fixes for other less severe bugs in the plug-in.

Due to the privileges required it is expected that the vulnerability will be used in targeted attacks rather than widespread attempts. A successful attack would give cyber criminals an opportunity to execute further privilege escalation. For WordPress sites with multiple contributors and admins, the attack potential is much wider. While millions of sites using the Elementor plug-in are still vulnerable, Wordfence reported that they are not currently seeing active exploits against these vulnerabilities.

We recommend the immediate updating of all WordPress websites within your business using the Elementor plug-in. Due to the widespread use of the Elementor plug-in, prompt action in getting all sites using Elementor updated to at least version 3.1.4 is recommended as in doing so, the risk associated with the flaws with be mitigated.

CopperStealer, a previously undocumented password and cookie stealer, has been compromising accounts of the likes of Facebook, Apple, Amazon and Google for the past couple of years have been using them for cyber criminal activity.

Accounts of advertisers and users of the four web giants have been compromised since July 2019. The malware acts similarly to the previously discovered, China-backed malware family SilentFade.

CopperStealer has an actively developed password and cookie stealer with a downloader function, which is capable of delivering additional malware after performing the initial theft. It’s not only similar to SilentFade, but other malware such as StressPaint, FacebookRobot and Scranos. It is thought that cyber criminals use accounts to run deceptive ads on some of the social media websites. These point those who see the adverts towards phishing pages.

Additional versions of CopperStealer seem to focus on other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.

CopperStealer has been offered on legitimate websites offering ways to evade licensing restrictions of legitimate software such as Microsoft 365. However, instead of providing users with the software free of charge they were instead downloading malicious executables capable of installing and downloading additional payloads. Researchers worked with some of the websites being taken advantage of by CopperStealer to intercept and gain a better understanding of the malware. As a result, the ability of cyber criminals to collect victim data has been restricted, while it has been discovered that CopperStealer is not very sophisticated and has basic capabilities.

It also appears that CopperStealer is targeting users around the world, and has no regard for what industry they are working in. Neuways advise employees to be careful when engaging with potential phishing emails. If your business has social media channels, it is worth using a Password Manager to help secure the account credentials for these pages. If CopperStealer were to gain access to your company’s Facebook page and start running spam adverts, your business will experience damage to its reputation from followers, which could include both customers and suppliers.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.

215 / 220

    Download Our Business Continuity and Disaster Recovery Brochure

    Fill in the fields below and our brochure will be emailed to you.


     


      Download Our Brochure

      Fill in the fields below and our brochure will be emailed to you.

        Download Our Microsoft Dynamics 365 Business Central Brochure

        Fill in the fields below and our brochure will be emailed to you.

          Download Our MSP Brochure

          Fill in the fields below and our MSP brochure will be emailed to you.

          Download our NeuVue360 Brochure

            Download Our NeuVue360 Brochure

            Fill in the fields below and our brochure will be emailed to you.

            Request a callback

              Request a call back

                Request a call back
                close slider