Neu Cyber Threats – 26th August 2021
Microsoft Exchange severs remain vulnerable
Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of vulnerabilities that were patched earlier this year. March 2021 saw multiple zero-day exploits being used to attack on-premises Exchange servers – and it looks as though these exploits have not been fully patched, with those who have not patched since April or May being told their systems are not safe and they could still be exploited.
Neuways recommends you update to the latest security patch as soon as possible, as well as monitoring for any new indicators of a compromise and staying up-to-date on new information as it is released.
In August, researchers observed at least five distinct styles of web shells deployed to vulnerable Microsoft Exchange servers:
- XSL Transform (the most common, with over 130 occurrences)
- Encrypted Reflected Assembly Loader
- Comment Separation and Obfuscation of the “unsafe” Keyword
- JScript Base64 Encoding and Character Typecasting
- Arbitrary File Uploader
Researchers have discovered that, while Exchange 2010 is not affected by these vulnerabilities, the fact it reached end of life back in October 2020 means that Microsoft will no longer provide security fixes for vulnerabilities that may make the server vulnerable to security breaches. It is recommended to NOT run an end of life 2010 server in 2021.
Cyber criminals are exploiting vulnerabilities in Microsoft Exchange, dubbed ProxyShell, to install a backdoor for later access and post-exploitation. This ProxyShell attack uses three chained Exchange vulnerabilities to perform unauthenticated remote code execution. Here are detailed breakdowns of the three vulnerabilities:
- CVE-2021-34473 provides a mechanism for pre-authentication remote code execution. This allows threat actors to remotely execute code on an affected system.
- CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
- CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code and write arbitrary files.
Researchers are seeing attackers actively exploiting these vulnerabilities against vulnerable Exchange servers, with over 100 incident reports related to this exploit over a two-day period in August.
Cyber criminals using reCAPTCHA to plant malware
Cyber attackers are using Google’s reCAPTCHA (aka the “I’m not a robot” function) and fake CAPTCHA-like services to obscure various phishing and other campaigns.
CAPTCHAs will be familiar to internet users as the challenges that are used to confirm that they’re human. The puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The puzzle is designed to weed out bots on retail and other account sites.
Researchers said that the puzzles can also benefit cyber criminals, though: “Hiding phishing content behind CAPTCHAs prevents security crawlers from detecting malicious content and adds legitimate looking tactics to phishing login pages.”
Though it’s far from brand-new, it’s becoming an increasingly popular technique. In the last month alone, researchers found 7,572 unique malicious URLs over 4,088 pay-level domains employing the obfuscation method, which averages 529 new CAPTCHA-protected malicious URLs per day.
It appears to be that survey and lottery scams are some of the most common grayware pages. These usually result in the user disclosing sensitive information, including address, date of birth, banking information and annual income in exchange for a fake payment or chance at winning the lottery.
Another growing category is malware delivery pages abusing legitimate CAPTCHA services. The positive is that researchers have said it’s possible to detect phishing pages through the association of CAPTCHA keys.
Neuways advises users to be careful where there disclose their sensitive information, as this could lead to cyber criminals gaining this information and causing havoc with it. Double check the validity of the websites you visit and do not follow hyperlinks or open attachments from any suspicious emails you receive.
Cyber criminals trying to turn employees against their businesses
It has been discovered that threat actors are trying to turn disgruntled employees against their own business, by asking them to deploy ransomware and offer a cut of the ransom profits.
Researchers at a security firm were themselves targeted in the scam, before they identified and blocked a number of emails sent, that offered people the equivalent of hundreds of thousands of pounds to install DemonWare ransomware. The would-be attackers have ties to the DemonWare ransomware group, also known as Black Kingdom or DEMON. The employee is told they can launch the ransomware physically or remotely.
DemonWare has been around for a few years. The group was last seen alongside numerous other threat actors launching a barrage of attacks targeting Microsoft Exchange’s ProxyLogon set of vulnerabilities, CVE-2021-27065, which were discovered in March. The campaign begins with an initial email soliciting help from an employee to install ransomware while dangling the offer of payment if the person follows through. It also gives the recipient—who attackers later said they found via LinkedIn—a way to contact the sender of the email.
Researchers contacted the cyber criminals to find out more about the campaign. They sent a message back indicating that they had viewed the email and asked what they needed to do to help. Minutes later, the criminal responded and reiterated what was included in the initial email, and asked if they would be able to access our fake company’s Windows server.
Researchers continued to communicate over five days with the threat actors as if they were willing to be a part of the scam. Upon being contacted, the threat actor sent researchers two links for an executable file that could be downloaded on the file-sharing sites WeTransfer or Mega.nz. The file was named “Walletconnect (1).exe” and based on an analysis of the file, researchers were able to confirm that it was, in fact, ransomware.
The cyber criminals showed flexibility in how much ransom they were willing to receive, too. The original amount was £1.8 million in bitcoin, the threat actor quickly lowered that sum to £180,000 and then to £120,000 when researchers said that the fake company for which they worked had an annual revenue of around £40 million.
The actor repeatedly tried to alleviate any hesitations by ensuring that the researchers wouldn’t get caught, since the ransomware would encrypt everything on the system – including any CCTV (closed-circuit television) files that may be stored on the server.
The example provided a great look at how threat actors have perfected the use of social engineering in cyber crime activity. The campaign also sheds light on how attackers leverage the idea of a disgruntled insider to try to get them to do their dirty work for them—a concept that also isn’t new, but provides information about yet another method in which ransomware can find its way onto a business’ network.
Cost of phishing attacks quadruples since 2015
Research shows that the cost of phishing attacks has nearly quadrupled over the past six years, with large enterprise companies now losing, on average, £10.7 million annually, or £1,000 per employee. When compared to 2015’s figure of £2.7 million, it is clear to see the increased risk businesses face in 2021 when compared to just SIX years ago.
According to the study, phishing leads to some of the costliest cyberattacks. One of the most expensive threat types is business email compromise (BEC). BEC costs accelerated last year, with more than £1.3 billion stolen from organisations as cyber criminals launch even slicker attacks, either impersonating someone inside a business or masquerading as a partner or vendor in order to pull off financial scams.
One of the other most expensive attacks is ransomware, as experts have tracked skyrocketing ransom costs. But, interestingly enough, what businesses shell out for extortion payments in ransomware attacks is just a small fraction of the true cost of phishing attacks, according to the study.
Researchers described the situation further: “What we found is that ransoms alone account for less than 20% of the cost of a ransomware attack. But, because of phishing attacks increasing the possibility of a data breach and business disruption, most of the costs incurred by companies actually come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”
The lost productivity and subsequent time spent repairing the damage caused, the cleaning and fixing of infected systems are noted as the most time-consuming tasks to resolve phishing scams. Some of the study’s other key takeaways include:
- BEC costs amount to nearly £4.3 million per year for large companies, with illicit payments made annually to BEC attackers just under a million.
- Security awareness training reduces phishing expenses by more than 50% on average.
- Costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve malware attacks has more than doubled in the six years from 2015 to 2021.
Neuways advises businesses to be aware of the very real threat of ransomware attacks. As this story says, it is not just the initial ransom cost or cyber attack itself, but the knock-on effects that can lead businesses to suffer from long-term financial damage. A Business Continuity and Disaster Recovery plan will help your business to bounce back from an attack, and prevent that lasting damage. When implemented by IT business experts, such as those at Neuways, a BCDR plan can be a life-saver for a business.
Call Neuways on 01283 753333 or email email@example.com to find out more information.