Neu Cyber Threats – 30th September 2021
User credentials leaked due to Microsoft Exchange flaw
Researchers have captured hundreds of thousands of Windows domain and application credentials, as a result of the design and implementation of the ‘Autodiscover’ protocol implemented by Microsoft Exchange.
Microsoft describes Exchange’s ‘Autodiscover’ service as “providing an easy way for your client application to configure itself with minimal user input.” As an example, this would allow users to configure their Outlook client by only needing to provide their username and password.
Four years ago, in 2017, researchers warned that implementation issues related to ‘Autodiscover’ on mobile email clients could cause information to leak, and the vulnerabilities disclosed at the time were patched. However, further analysis conducted earlier this year showed that there are still serious problems with the design and implementation of ‘Autodiscover’.
The problem is related to a “back-off” procedure. When Autodiscover is used to configure a client, the client attempts to build a URL based on the email address provided by the user. The URL looks something like this: https://Autodiscover.example.com/Autodiscover/Autodiscover.xml or https://example.com/Autodiscover/Autodiscover.xml.
However, if none of the URLs respond, the back-off mechanism kicks in and attempts to contact a URL that has the following format: http://Autodiscover.com/Autodiscover/Autodiscover.xml.
Researchers explained further: “This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain.” The researchers registered nearly a dozen Autodiscover domains (e.g. Autodiscover.com.cn, Autodiscover.es, Autodiscover.in, Autodiscover.uk) and assigned them to a web server under its control. Across five months, their server captured more than 370,000 Windows domain credentials and over 96,000 unique credentials leaked from applications such as Outlook and mobile email clients.
The credentials came from a range of sources: publicly traded companies, food manufacturers, power plants, investment banks, shipping and logistics firms, real estate companies, and fashion and jewellery companies.
“This is a severe security issue, primarily because if an attacker can control such domains or has the ability to see traffic in the same network, they can then capture domain credentials in plain text (HTTP basic authentication) as they are being transferred. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these ‘Autodiscover’ TLDs,” researchers added.
Researchers have also devised an attack that can be used to downgrade a client’s authentication scheme, enabling attackers to obtain credentials in clear text. The client will initially attempt to use a secure authentication scheme which protects credentials against snooping, but the attack causes authentication to be downgraded to HTTP Basic authentication, where credentials are sent in clear text.
Neuways advises Microsoft Exchange users to update their systems with any patches or updates as soon as they are made available. Security issues and flaws, such as the one above, can be protected against with the use of patches, as software providers try and keep their services as safe and secure as possible.
Cyber criminals may be cheating each other!
A newly discovered backdoor could have enabled REvil’s ransomware-as-a-service operators to hijack victim cases and snatch affiliates’ cuts of ransom payments. Malware specialists researching newly available samples from REvil have identified a backdoor that may have enabled the original gang to hijack chats with victims so as to scoop up affiliates’ cut of ransom payments.
Researchers believe that the backdoor also allowed REvil operators to decrypt workstations and files. Backdoors and encryption are nothing new for a ransomware gang, but by using this particular backdoor, REvil could hijack cases while victims remain engaged in negotiations with the RaaS’s affiliates. This means REvil operators can filch affiliates’ cut of the pie, around 70% percent of ransom payments.
The payout is supposed to occur by an affiliate compromising a network and digging in to secure its presence, before REvil leadership hands them a payload of malware to infect that network. Then, if a victim pays the ransom, the affiliate is supposed to get 70% percent of it for doing all the dirty work of network compromise, data stealing and encryption. REvil leadership pockets the remaining 30% in exchange for providing the ransomware payload that the affiliates use to seize control of victims’ data and systems.
If the leadership decides to scam the affiliate instead of paying out, they pocket the entire financial revenue. Another set of researchers were already aware that REvil has been using double-chats: that’s when two identical chats are open with the victim, one by the affiliate and another by REvil leadership.
While there isn’t direct evidence of REvil leadership having used the backdoor to shut down the affiliate chat and to imitate a victim who’s decided to quit the negotiations without paying, before continuing to negotiate with the victim to get the full income, researchers still consider double chats and backdoors to be “significant evidence of REvil’s practices as affiliate scammers.”
Besides the double-chat setup, the backdoor itself may serve the same purpose of affiliate case hijacking, as it enables secret decryption of files when negotiations are complete.
Large scale phishing scam discovered by Microsoft
Microsoft has uncovered a large-scale, well-organised and sophisticated phishing-as-a-service (PhaaS) operation. The platform allows users to customise campaigns and develop their own phishing ploys so they can use the PhaaS platform to help with phishing kits, email templates and hosting services needed to launch attacks.
Microsoft researchers discovered the operation, marketed by criminals as ‘BulletProofLink’, when they found a high volume of newly created and unique sub-domains—more than 300,000 in a single run, according to a post by the Microsoft 365 Defender Threat Intelligence Team.
Researchers wrote: “This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign.”
With over 100 available phishing templates that mimic known brands and services — including Microsoft itself – the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today.
As we know, phishing is an extremely common method for cyber criminals to trick people into giving up their credentials to online accounts which store sensitive data through socially-engineered emails. Phishers use these emails — which often fool people by impersonating a trusted company, application or institution – to direct people to specially crafted phishing sites so they enter credentials, thinking they are doing so for a legitimate reason.
Phishing is often a gateway to further criminal activity; phishers sell credentials obtained through campaigns on the Dark Web, and they can be used by ransomware gangs as an entry point into networks to deliver ransomware attacks, among other nefarious activities.
BulletProofLink provides a starting point for people without significant resources to get into the phishing business. The group has been active since 2018 and maintains multiple sites under various aliases. The group leverages services such as YouTube and Vimeo offering instructional videos, advertisements and promotional materials.
While previously, criminals who wanted to launch these attacks resorted to building phishing emails and brand-impersonating websites on their own, “the phishing landscape has evolved its own service-based economy,” researchers said. Now attackers can just purchase all the resources and other infrastructure they need to launch phishing attacks without investing a lot of time or effort – in fact there are now two key offerings available to criminals who want to get into the phishing business: phish kits and phishing-as-a-service.
What does this mean for businesses? Ultimately, it’s not good news. The increased amount of ‘wannabe’ phishers out there means that companies will be subjected to more cyber attack attempts, as the nefarious criminals attempt to seize control of your business’s IT systems and, in turn, try and extort money from you. The best way to move forward is to ensure your company has a Business Continuity & Disaster Recovery plan in place. This ensures that, if the worst were to happen, your business will be able to continue to stay operational, without any damaging downtime.
Malware is disrupting Android mobile devices
An Android malware called TangleBot has been discovered that can perform various malicious actions, including stealing personal information, controlling apps and device functions.
According to researchers, the newly discovered mobile malware is spreading via SMS messaging, through lures about COVID-19 boosters and regulations. The goal is to socially engineer targets into clicking on an embedded link, which then takes them to a website. The site tells users they require an “Adobe Flash update.” If they click on the boxes that follow, then this results in the installation of the TangleBot malware.
In propagation and theme, TangleBot resembles a lot of other mobile malware, such as the FluBot SMS malware that has targeted the U.K. and Europe. However, TangleBot’s wide-ranging access to mobile device functions is what sets it apart.
Researchers said: “TangleBot is named as such because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS, phone capabilities, call logs, internet access, [GPS], and camera and microphone.”
TangleBot grants itself privileges to access and control all of the above, meaning that the cyber criminals would now have the full capability to mount attacks with a staggering array of goals and objectives. For instance, attackers can manipulate the incoming voice call function to block calls and also make calls in the background, with victims left completely unaware. This is the perfect setup for premium number fraud, whereby the user is charged a high rate for making a call to an attacker-controlled toll number.
As well as all of this, TangleBot can also send, obtain and process text messages for SMS fraud, two-factor authentication interception, self-propagation to contacts and more. It also has deep spyware capabilities, with the ability to record or directly stream camera, screen or microphone audio directly to the attacker.
And last but not least, researchers noted that the malware can take stock of installed applications and interact with them, as well as overlay screens on top of these to harvest credentials in the style of a banking trojan. Researchers said: “The ability to detect installed apps, app interactions and inject overlay screens is extremely problematic. As we have seen with FluBot, TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials. The capabilities also enable the theft of considerable personal information directly from the device.”
That can be problematic for businesses, too, given that employees increasingly use personal devices for work.
Neuways advises users to employ safe messaging practices and avoid clicking on any links in texts, to avoid threats like TangleBot, even if they appear to come from a legitimate contact. They should also be careful when downloading apps and read install prompts closely, looking out for information regarding rights and privileges that the app may request. And finally, they should be wary of procuring any software from outside a certified app store, such as the Google Play Store, for Android users.