Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

SolarWinds hackers up to no good again

The SolarWinds hackers are striking again. The attackers, Nobelium, were infamous for using a bit of malicious code hidden within a software update by the cloud solutions company, SolarWinds, to launch a massive cyber attack.

According to Microsoft, one of the victims of the original SolarWinds hack, the group is targeting technology companies that resell and provide cloud services for customers: “Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain.”

“We believe Nobelium hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers.”

The hacker group hasn’t tried to exploit vulnerabilities in software, but instead has been using techniques like phishing and password spray to gain entry to targeted networks.

It has been reported that Nobelium’s latest hacking attempts were both unsophisticated and largely unsuccessful, unlike the SolarWinds campaign, which involved a complex intrusion via the software update, which went on to impact a large, but unknown amount of victims. In this case, this latest spying campaign by the Russian cyber criminal group appears to be classic espionage, and out of the 141 companies notified by Microsoft, only 14 concluded there might have been a successful compromise, albeit with limited impact.

The targets — cloud service providers — are particularly popular recently as bad threat actors focus on disrupting business’ supply chains, to try and gain access to customers and suppliers.

As ever, Neuways advises users to be wary of any emails received from unknown parties that ask the user to click on a hyperlink or open a document. These could contain malware that can exploit and infiltrate your business’ corporate network – leading to an untold amount of damage.

Office 2013

Cyber crime group taking advantage of old Microsoft Office flaw

A “lone wolf” cyber crime group is exploiting a Microsoft Office flaw which is over 20 years old, to deliver a barrage of commodity remote access trojans (RATs) to businesses across the world.

Attackers use lures in the campaign, which target mobile devices with out-of-the-box RATs such as dcRAT, QuasarRAT for Windows and AndroidRAT. The RATs are also delivered in malicious documents by exploiting the flaw, which tracks as CVE-2017-11882.

CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, just two years ago, attackers were seen exploiting the bug, which, in turn, allowed them to run malicious code automatically without requiring user interaction.

The advanced persistent threat (APT) behind the campaign uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload. The campaign reflects an increased trend by both cyber criminals and APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers said.

Researchers said that: “Using commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution and data exfiltration – while they act as excellent launch pads for deploying additional malware against their victims.” Using commodity malware also saves attackers both the time and resource investment in developing custom malware.

Neuways advises users of Microsoft Office to be wary of any potential threat campaigns that they come into contact with. It is advisable to look out for any security updates and patches Microsoft issue, to help solve the flaw.

decryption tool

Researchers release free BlackByte decryption tool

Security experts have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files – meaning victims avoid having to pay an expensive ransom.

Researchers explained that they uncovered an “odd” design decision in the BlackByte ransomware’s encryption algorithm: “Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.”

It’s not uncommon for ransomware gangs to claim that prior to their corporate victims’ data being encrypted it was stolen and will be sold to other online criminals if a ransom is not paid. BlackByte is exactly the same in this regard. Victims are directed towards a site on the Dark Web where it appears their data is being prepared to be sold in an online auction.

However, according to the security researchers, the ransomware does not contain any functionality to exfiltrate data, and the claim may be being made simply to scare victims into paying.

The free BlackByte decryptor tool claims to take advantage of the ransomware’s design weakness and can be downloaded from GitHub. Perhaps predictably, the BlackByte ransomware gang has responded to Trustwave’s release of the decryptor tool and has published a message on its website warning victims not to use it. While there is nothing in the cyber criminals’ claims, it must be said that securely backing up your data before using the encryption tool is advisable.

To avoid becoming the victim of cyber criminals, Neuways advises the use of a Business Continuity & Disaster Recovery plan. The backup procedures that are put in place allow businesses to stay in control of their future. If a company were the victim of a cyber attack, or a physical incident, such as a fire or flood, for example, then recently secured backups of its data would be on hand. This data would’ve been saved recently, and, critically, is tested to ensure it can be successfully restored and used at short notice.

Encrypted call feature added to Teams

Microsoft have announced that businesses can now allow their employees to make one-to-one calls on Teams that are protected by end-to-end encryption.

After being initially announced earlier in 2021, end-to-end encryption is now rolling out to public preview. Businesses can take advantage, but their IT administrators will be required to manually enable the feature. When used, conversations are encrypted in a way that prevents anyone, including Microsoft, from intercepting them. However, only the real-time media flow, which includes video/voice data, is encrypted end-to-end, and users on both ends of the call will need to enable it.

End-to-end encryption is available for Teams on Windows, macOS, Android and iOS, and once it has been enabled for an account it can be used across all of a user’s devices. An end-to-end encryption indicator is displayed during a call so that the user knows their conversation is protected. If users need to use Teams features that are not covered by end-to-end encryption — this includes recording, live caption and transcription, call transfer and merge, and group calls — they have to temporarily disable the feature.

Microsoft said: “In normal call flows, negotiation of the encryption key occurs over the call signalling channel. In an end-to-end encrypted call, the signalling flow is the same as a regular one-to-one Teams call.”

Microsoft added that even though end-to-end encryption is currently only available for one-to-one calls, other features such as group calls and chats are still protected by Microsoft 365 encryption. The company plans on adding the encryption to online meetings as well at some point in the future.

Neuways customers can contact their Account Managers to discover adding end-to-end encryption to their existing Microsoft Teams set-up.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.