Neu Cyber Threats – 28th January 2021
The cyber criminals behind the large supply chain attack on SolarWinds utilised ‘Raindrop’ malware to move laterally within businesses and deploy additional payloads. The SolarWinds attack saw the delivery of trojan updates for one of SolarWinds’ IT monitoring products, Orion to around 18,000 of their customers.
These malicious updates included a piece of malware named Sunburst, which the hackers inserted into Orion using yet another malware called Sunspot. Raindrop was spotted on compromised networks and appears to have been used for spreading across victim’s network. It doesn’t seem to have been delivered by the Sunburst malware, but it has appeared elsewhere on networks where at least one computer has already been compromised by Sunburst.
On infected devices tools have been found that can be used to obtain passwords and keys, and saw the execution of commands which attempted to push malware onto other devices within the same network. It is believed that Russian cyber criminals were behind the attack. Please be aware of any suspicious looking emails that may land in your inbox – if you are suspicious of any received communications, inform your Managed Service Provider.
A phishing campaign sends victims spoof Xerox notifications to lure them into opening malicious HTML attachments and giving their access to cyber criminals. Attackers behind a recent email phishing campaign have left over 1,000 sets of stolen credentials for anyone to see, via a simple Google searches.
The campaign began last summer and sent emails to victims that were false notifications from Xerox scans of documents. The victims would be sent malicious attachments rather than a true scan after the email had bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering to steal over 1,000 corporate credentials.
While this is not atypical of phishing campaigns, attackers made an ‘error’ that left stolen credentials exposed – by leaving the details in designated webpages on compromised servers. Google constantly indexes the internet, and the search engine also indexed these pages, making them available to anyone who queried Google for a stolen email address. Usually these credentials are held back and used to sell on the dark web for profit by cyber criminals.
Businesses targeted through the campaign included a range of industries – including retail, manufacturing, healthcare and IT, as well as energy and construction companies. The campaign begins with an email using one of several phishing templates imitating a Xerox notification with the target’s first name or company title in the subject line. The email included a HTML file that, once clicked on, would prompt the user with a lookalike login page for Xerox.
This particular phishing campaign illustrates just how easy cyber attacks can be to manufacture. That the cyber criminals who orchestrated it made such a basic error that left company’s credentials available to all shows that businesses need to pay more attention to their cyber-security. Remember, just because an email has evaded your email security solutions, doesn’t mean it is safe to open. Apply good email opening practices to every email you receive.
Cyber criminals have been sending victims fake Microsoft 365 password expiration reports in an ongoing phishing campaign. Businesses within finance, manufacturing and technology, have fallen victim to the scam across the UK. At the time of writing, over 300 unique compromised URLs have been identified, along with 70 email addresses from eight different websites. Cyber criminals compromised over 40 legitimate email addresses of CEOs, directors, company founders, and owners, as well as other employees.
The attackers sent false Microsoft 365 password expiration reports, which requested the victim to click on an embedded link that would allow them to continue using the same password. However, once the potential victim clicks on the “Keep Password” option, they are taken to the phishing page which records credentials input by the user. Cyber criminals then abuse the account details they receive to gain the trust of other users within the same business.
The hackers are utilising a phishing kit that was first used last year in similar phishing attacks with spoofed Microsoft login pages. Cyber criminals have also been found advertising stolen credentials for the Office 365 accounts of CEOs, chief financial officers (CFOs), and financial department employees on the Dark Web.
At Neuways, we would continue to advise businesses to consider signing up their employees for Phishing Awareness Training. The training we provide ensures that employees will be able to identify phishing emails from normal communications, which is critical to avoiding any business-damaging loss of credentials. Your employees should be seen as gatekeepers to your business, and one slip-up could cause crippling downtime for businesses.
WordPress users should be made aware of two critical vulnerabilities found in a WordPress plug-in called Orbit Fox. One vulnerability allows for privilege escalation and remote code injection, while the second issue allows for cross-site scripting. Our recommendation is that you update the Orbit Fox plug-in to the most recent version as soon as possible.
The more severe vulnerability, which allows for privilege escalation, lets cyber criminals gain contributor level access – allowing them to potentially take over a WordPress site completely. This can be carried out through the creation of a specialised request, by adding a registration form through the Orbit Fox sign-up widget. While the plug-in on the client is protected against this, the backend server does not follow proper data sanitisation methods. This results in lower-level contributors setting their user role to admin through a malicious registration form.
Currently, Orbit Fox has over 400,000 active installations on WordPress sites, which means a large number of users could be affected by these vulnerabilities, as well as the end users of said websites. The cross-site scripting vulnerability is present in Orbit Fox versions 2.10.2 and earlier, while the severe privilege escalation vulnerability is only applicable to sites that utilise an affected version of Orbit Fox as well as either the Elementor or Beaver Builder plugins and have user registration enabled.
If you use an affected version of Orbit Fox, we urge you to update the plug-in asap.
Cyber criminals have been found sending thousands of emails to businesses as a reconnaissance campaign to identify targets for potential follow-up business-email-compromise (BEC) attacks, using Google Forms.
So far, thousands of messages have been sent since December 2020, with manufacturing and telecommunications among the sectors impacted. The campaign uses Google’s Forms survey mechanic, as it can bypass email security content filters. However, in this attack, the use of Google Forms additionally prompts a persistent dialogue between the attacker and email recipient – another example of the use of social engineering on businesses.
Messages are written to convey a sense of urgency, common in phishing emails. The victim is asked if they have a “quick moment” to carry out a task, as the purported sender is heading into a meeting or too busy to handle the task themselves, with a link offered in the email. This link leads the victim to a default, untitled form hosted on Google Forms’ infrastructure. Google Forms is a survey administration software that’s offered as part of Google’s Document Editors suite of apps. Strangely, the form in this campaign is blank, and merely says “Untitled Form” with an “Untitled Question.” This could be a tactic to see which recipients clickthrough to the link, before they are targeted in a future email phishing scam.
Neuways advises looking out for the following red flags in any potential phishing emails:
- Erroneous spelling and grammar
- Urgent messaging used
- Email addresses used, which do not make sense at all
For all eight key indicators of a phishing email, visit our Phishing Awareness page now.
Email security solution Mimecast has had a small section of its services compromised, affecting around 10% of customers using those particular services.
This incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor. When Microsoft informed Mimecast about the compromise of a Mimecast-issued certificate used to authenticate a subset of its products, Mimecast advised affected customers to break and re-establish their connections with newly issued keys. The vast majority of customers have taken this action, and Microsoft has now disabled use of the former connection keys for all affected Mimecast customers.
If you’re a Mimecast customer please contact your Managed Service Provider for more information.