Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Microsoft 365 users are being targeted with BEC attacks

A new business email compromise (BEC) campaign targeting Microsoft 365 users is using a range of sophisticated obfuscation tactics within phishing emails that can fool natural language processing filters and are undetectable to end users. Researchers first discovered the campaign in September and dubbed it ‘One Font’, because of the way it hides text in a one-point font size within messages.

Attackers are also hiding links within the cascading style sheets (CSS) in their phishing emails, another tactic designed to confuse natural language filters like Microsoft’s Natural Language Processing (NLP). The One Font campaign includes messages with links coded within the <font> tag, which, in combination with the other obfuscation techniques, also destroy the effectiveness of email filters that depend on natural language for their analysis.

Researchers said: “This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see.”

The recent campaign is similar to the one researchers discovered in 2018 called ZeroFont, which used similar tactics to get past Microsoft NLP in its Office 365 security protections. That campaign inserted hidden text with the font size of zero within messages to trip up email scanners that depend on natural language to discover malicious emails.

Like that campaign, One Font also targets Office 365 organisations, can lead to BEC and endanger the corporate network if messages aren’t flagged and users are duped into giving up their credentials. Since the ZeroFont campaign, cyber criminals have gotten increasingly sophisticated in their tactics to slip past the NLP used in common email filters.

Once it makes it to inboxes while appearing to be a legitimate message, the One Font campaign uses typical social engineering tactics to get the attention of victims. Attackers present what looks like a password-expiration notice, using urgent messaging to spur a potential victim into clicking on a malicious link. This carries them to a phishing page where they appear to be entering their credentials so they can change their passwords. Instead, threat actors are stealing their credentials to use for other cyber crime activity.

Researchers demonstrated how specific phishing emails used a combination of tactics – specifically, links hidden within the CSS and links slipped within the <font> tag and then sized down to zero – that confounded natural language filters. With such techniques being invisible to the end user, flagging such messages as malicious can be tricky. To avoid these messages slipping past filters, Neuways recommends that organisations use a multi-tiered security solution that combines advanced artificial intelligence and machine learning, with static layers like domain and sender reputation.

Notorious malware service returns

Emotet, one of the most prolific and disruptive botnet malware-delivery systems, looks to be making a comeback after almost a year of inactivity. Researchers found the TrickBot trojan launching into what appears to be a new loader for the notorious malware.

As Emotet was largely dismantled earlier this year, researchers said they were “suspicious about the findings” and conducted further verification of the activity. After doing so, they said with that “the samples indeed seem to be a re-incarnation of the infamous Emotet” but will be conducting further analysis.

Emotet initially started life as a banking trojan in 2014, and has continually evolved to become a full-service threat-delivery mechanism. It can install a collection of malware on the machines of victims, including information stealers, email harvesters, self-propagation mechanisms and ransomware, the last of which is at a record high in terms of volume and currently the cyber threat most worrying global police.

The malware was last seen in volume hitting 100,000 mailboxes a day to deliver TrickBot, Qakbot and Zloader in December 2020 ahead of the festive season. The operation that appeared to put Emotet out of commission eliminated active infections on more than 1 million endpoints worldwide. Now it appears to have resurfaced using the familiar partner-in-crime TrickBot, the two have a long history of working together. Often, it was Emotet using its vast network to deliver TrickBot as a payload in targeted email phishing campaigns.

Researchers detailed the similarities between previous samples of Emotet and the one they observed recently being dropped by TrickBot. One hallmark is the network traffic originating from the sample closely resembling Emotet behaviour. Researchers said: “The URL contains a random resource path and the bot transfers the request payload in a cookie. However, the encryption used to hide the data seems different from what has been observed in the past. Additionally, the sample now uses HTTPS with a self-signed server certificate to secure the network traffic.”

Another notable characteristic of Emotet was the heavy use of control-flow flattening to obfuscate the code. The current sample also contains flattened control flows. Researchers are aware of the potential for Emotet to disrupt the world’s businesses, although it will be a while before its latest version will be capable of a similar level of havoc-wreaking.

Fortunately, as the botnet will need some time to gain strength, organisations will have some breathing room to shore up defences. Neuways advises businesses to get ahead of the threat by focussing on Phishing Awareness Training for their workforces about the dangers of email threats as well as shoring up network monitoring, since Emotet spreads infections predominantly through phishing campaigns. In addition to the training, tracking newly discovered command and control servers, as well as alerting and blocking traffic to them can reduce the risk of infection greatly.

Criminals targeting users through false streaming ads

Scammers are tempting users with phishing campaigns disguised to look like genuine adverts for Netflix, Amazon Prime and other streaming services.

Where there’s payment data, cyber criminals are sure to follow, and researchers are warning of the threat to users: “Streaming services offer a variety of payment plans, but generally they all involve paying with a credit card and where there are card details, there is the threat of phishing.”

Researchers have observed lures aimed at targets, depending on their current streaming subscription status. Fake sign-up pages for streaming services were used to pry email addresses and credit-card information from victims. Current Netflix subscribers were sent a phishing email requesting they update their billing information.

“We’re having some trouble with your current billing information,” the email read. “We’ll try again, but in the meantime, you may want to update your payment details.” A link to “Update Your Account Now” followed, along with the signoff, “Your friends at Netflix,” and, of course, the link led to a malicious payment confirmation page addressing “costumers” instead of “consumers.”

Another tactic aimed at streamers included fake offers to stream popular shows like Disney’s The Mandalorian. Victims would watch a trailer, then be asked for a fee to continue, giving the scammers their payment details. Researchers added: “What follows is a classic scenario: any payment details users enter go straight to the crooks.”

Stolen streaming credentials are valuable as they have gone on to be sold on underground markets, while the subscription’s stolen password could go onto be used in attacks against other victim accounts. The widespread cultural influence of video streaming services is increasingly being weaponised by scammers.

This isn’t the first time streaming services have been used for nefarious means. In 2020, researchers discovered a malicious Netflix app in the Google Play store, which was spreading through WhatsApp messages. Neuways advises users to not open up any emails that appear to be associated with streaming services, while paying attention to the obvious signs of a scam, like incorrect grammar and requests for payment information.

Phishing email scam

Scammers exploiting UK broadband users

UK broadband provider, Sky, left about 6 million customers exposed to attackers who could remotely gain access to their home networks. Researchers reported the problem to Sky Broadband in May 2020, but did not receive an update for almost 18 months.

The flaw could have affected customers who had not changed the default admin password on their routers. Additionally, non-default credentials could have been brute-forced – although it is believed that the vulnerability has now been fixed.

The affected model numbers are: Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203) and Booster 4 (SE210).

While the last two router models were also affected by the weakness, they come with a random admin password, making them tougher to attack but also leaving them open to brute-forcing attacks. DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks. This tactic has been used before, and on an even greater scale: it was used in a two-step proof-of-concept exploit, demonstrated by researchers in January 2020, gaining remote access to a compromised spectrum analyser.

Multiple cable modems used by ISPs to provide broadband into homes were found to have the critical vulnerability in their underlying reference architecture – a vulnerability that would allow an attacker to get full remote control of the device. Researchers explained that the DNS rebinding technique allows an attacker to bypass the “same-origin” policy: a defence technique in web browsers that permits scripts contained in a web page to access data in a second web page, but only if both web pages have the same origin. This prevents web applications from interacting with different domains without the user’s consent.

The exploit, which would have allowed an attacker to reconfigure a victim’s home router, could have been triggered simply by directing a user, via a phishing attack, to a malicious link. From there, the threat actor could “take over someone’s online life,” stealing passwords for banking and other sensitive sites.

Sky said: “After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”

Researchers added: “While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable. The fact that so many routers are being shipped with default passwords exposed to the internet is inexcusable in 2021.”

The entire incident highlights how important it is to change passwords, where even changing to a weak password would prevent exploitation in this case.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.