Neu Cyber Threats – 4th March 2021
It’s been discovered that owners of Gmail accounts are being targeted by a customised, malicious Mozilla Firefox browser extension called FriarFox.
The threat campaign was observed in early 2021. The attackers aims to gather information on victims by snooping on their Firefox browser data and Gmail messages, and have the ability to search, read, label, delete, forward and archive emails, receive Gmail notifications and send mail from the compromised account. With their Firefox browser access, they could access user data for all websites, display notifications, read and modify privacy settings, and access browser tabs.
It’s thought that the attack originated in phishing emails first detected in January, with religious organisations being impersonated in an attempt to gain credentials from targets. The emails contained a malicious URL, which featured a false YouTube page (hxxps://you-tube[.]tv/). Rather than the video platform, however, the link sent recipients to a fake Adobe Flash Player update-themed landing page, whereby the downloading of the malicious browser extension began.
After the download initiated by the fake website, users are prompted to add the browser extension through approval of the extension’s permissions – which claims to be, ‘Flash update components’. Non-Firefox and Gmail users can still be affected though. In one instance, a user who did not have an active Gmail session and wasn’t using Firefox was redirected to the legitimate YouTube login page, after visiting the fake Adobe Flash Player landing page. It was determined that attackers were attempting to access an active domain cookie in use on the site.
Businesses should ensure their employees are regularly engaging with Phishing Awareness Training to ensure they are not falling prone to any phishing emails the business receives. With many companies receiving a variety of different phishing emails on a daily basis, it’s important they are disposed of correctly to ensure the business’ confidential data is kept secure.
Microsoft users are receiving emails that purport to be from mail couriers FedEx and DHL – but that really steal their credentials. Recent phishing attacks have been found to target at least 10,000 Microsoft email users, both scams have targeted Microsoft email users and aim to swipe their work email credentials. They also use phishing pages hosted on legitimate domains, including Quip and Google Firebase, which allow the emails to slip by email security filters.
The email subject line, sender names and content did enough to mask their true intentions, with victims fooled into thinking the emails were really from FedEx and DHL Express. Depending on the content of the email, such as action required on a missed DHL delivery, most users may well take quick, urgent action on these emails instead of studying them in detail for any inconsistencies.
The FedEx email contained some information about a ‘missed’ document to make it seem legitimate, such as its ID, number of pages and type of document, alongside a link to view the supposed document. If the recipients clicked on the link, they would be taken to a file hosted on Quip, a free tool for Salesforce that offers documents, spreadsheets, slides, and chat services.
This page contained the FedEx logo and was titled, ‘You have received some incoming FedEx files.’ It included a link for victims to review the document which would then take them to a phishing page that resembled the Microsoft login portal, is hosted on Google Firebase, a platform cyber criminals have found to help them evade detection. If a victim enters their credentials on the page, the login portal reloads with an error message asking the victim to enter correct details, which could help attacks harvest further email addresses and passwords.
The DHL scam was similar and attempted to phish users Adobe credentials with a fake login page to view a PDF document. The influx of consumers using delivery services such as DHL and FedEx for online shopping is at an all-time high due to COVID-19. Businesses are continuing to use the services too, which makes both of these phishing emails particularly viable threats to companies.
If your business receives any email communications that claim to be from a delivery service, it is always worth checking with anybody within the company who uses delivery services to send/receive items from customers or suppliers. For example, your business might receive communications from FedEx, but they’ve never used FedEx ever! One check could save stolen email account credentials for the entire business.
Cyber criminals are taking advantage of more businesses migrating their systems to Microsoft 365, by using Outlook, Teams and other Microsoft-themed phishing lures to swipe user credentials. Almost half of all phishing attacks in 2020 attempted to swipe credentials using Microsoft-related lures – from the Office 365’s enterprise service lineup to its Teams collaboration platform.
Of those phishing emails, 45 percent were Microsoft-themed. Cyber criminals appear to be relying on Microsoft-themed lures for their emails, as well as sending victims links to phishing landing pages that either spoof or leverage legitimate Microsoft domains or services. The remainder of all malicious emails were focused around business email compromise (BEC) attacks or for malware delivery.
The malicious emails have varied in content, from, “Mike wants to share a document with you”, as SharePoint notifies users, or an attached file that gives a website link asking users to login with their Microsoft account credentials. An attack in December used embedded URLs that redirected to fake, never-seen-before Microsoft Office 365 phishing pages. Emails impersonating businesses like eFax, which is an internet fax service that allows users to receive faxes via email or online, were also commonplace.
Other cloud providers, such as Google (such as Google Forms), Adobe and file-sharing services, are the next popular brands cyber criminals are masquerading as to dupe recipients.
To avoid many of these Microsoft-themed lures, Neuways advises that businesses ensure all of their staff are using multi-factor authentication (MFA) to boost their cyber security defences. Rather than requiring one email and password combination, MFA issues a user trying to access their account with a code sent via a secure phone number. This helps to keep cyber criminals from hacking in and exploiting business systems even if they successfully manage to phish an employee for their account credentials.
A new cyber crime group, called LazyScripter have been identified. The group went unidentified for around two years, before being noticed in December 2020. Their most recent cyber attack uses a phishing lure to mimic a new passenger processing tool for the aerospace industry.
Dated in 2018, one of the earliest attacks retrospectively attributed to LazyScripter, was trying to take advantage of users who wanted to migrate to Canada. Since then, the group evolved its tools to include PowerShell exploits, the Koadic and Octopus RATs. Also used were LuminosityLink, RMS, Quasar, njRat and Remcos Remote Access Trojans (RATs). It shows that the group have a lot of cyber criminal expertise within it, to be able to use and adapt a wide range of dangerous tools for crimes.
A characteristic of their lures are typically job-related themes. Their phishing emails carry either archive or document files containing a variant of a loader. Once the user clicks on this document, the loader can install and begin exfiltrating the business’ data to a remote server. Researchers have identified 14 malicious documents that the threat actor has used over the past three years, all carrying embedded objects that are variants of the KOCTOPUS or Empoder loaders. These loaders have also been found to have been used by other cyber crime groups, hinting that LazyScripter have sold their tools on the Dark Web over the past few years.
The best way to avoid RATs affecting your business, is to ensure that any new applications downloaded by users are ratified by an administrator at the business. They can verify the validity, as well as the need, of the programme for the user on a case-by-case basis. This ensures no RATs, which find their way onto user’s systems by masquerading as legitimate looking programmes, will find their way onto a business’ systems.