Neu Cyber Threats – 5th August 2021
Cyber criminals commandeering email marketing services to send lures to customers
Customers of a fast-food chain were recently hit by phishing lures and malicious links that redirected them to credential harvesting sites. A breach of the restaurant’s email marketing service allowed cyber criminals to commandeer the company’s email marketing efforts.
The researchers found 121 phishing emails sent from the compromised Mailgun account sent between July 13 and July 16. Those attacks included two vishing attacks (malicious voicemail message attachments), 14 impersonated banks to harvest financial data and the remaining 105 emails attempted to redirect users to a spoofed Microsoft site that attempted to steal credentials.
The attacks leveraged the breached email marketing accounts in a similar way to Nobelium’s attack on email marketing service in May 2021. In that instance, the group breached Constant Contact‘s systems and took over the accounts of their customers. While there is no evidence to suggest the same actors are involved in these attacks, it appears to be a case of copying a successful attack vector used by Nobelium. Despite this, Nobelium have been busy during 2021 and it is no surprise their attacks are being mimicked by other cyber criminals out there.
The group were credited with the SolarWinds attack, that impacted on the U.S. government as well as a number of other organisations, and by late June, Nobelium were reported by the Microsoft Threat Intelligence Center to be behind brute force and password-spray attacks on Microsoft corporate networks as part of ongoing efforts to gain a foothold in businesses.
Their efforts are part of a larger increase in Microsoft login phishing-based attacks over the last 18 months, with 45% of all phishing attacks in 2020 aimed at swiping Microsoft credentials, primarily because of their value. Microsoft account credentials can lead to all kinds of interesting data, including other logins, trade secrets, financial details, and other intelligence.
Neuways advises users to treat every email they receive from users they do not recognise or are not expecting with extreme caution. It is possible that even if you recognise the email address, as is the case for this attack, that the sender is not legitimate. If the email urges you to click open a hyperlink or an attachment, it could well be that the sender is a cyber criminal. In opening and entering any information you could be handing nefarious criminals access to your business.
Malware creators using rarer code to evade detection
Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and hinder analysis. Use of the four languages is escalating in the number of malware families being identified. A team of researchers chose the languages to examine, partly because they fit its detection methodologies, but since the languages have strong community backing and could be considered more developed.
These uncommon programming languages are no longer as rarely used as once thought, as threat actors have begun to adopt them to re-write known malware families or create tools for new malware sets. Specifically, researchers are tracking more loaders and droppers being written in rarer languages. These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike. These have been commonly used to help threat actors evade detection on the endpoint.
In fact, the use of the legitimate Cobalt Strike security tool has exploded: its usage in cyberattacks is up 161% year-on-year, having gone fully mainstream in the cyber crime world. Malware creators might have a reputation for being slow to let go of whatever’s working, but they’re happy to pick up new programming languages for the same reasons as their law-abiding counterparts. It helps to rub out pain points in the development cycle, for one. Also, new languages keep their creations a step – or two, or three – ahead of protection tools.
Researchers explained a number of reasons why using less common languages helps cyber attackers to successfully hack their victims:
- Making up for deficits in existing languages: malicious programmers could be after a number of things they’re lacking in other languages, be it simpler syntax, performance boosts or more efficient memory management. A new language might be the perfect tool for a given, targeted environment.
- Improving obfuscation: when it comes to exotic languages, the language itself can almost act as obfuscation, given the fact that it’s new. The languages themselves can have a similar effect to traditional obfuscation and can be used to attempt to bypass conventional security measures and hinder analysis efforts.
- Cross-compilation more efficiently targets Windows & Mac: a malware developer can author one piece of malware variant and cross-compile it to target the multiple architectures and operating systems used in most businesses. Malware authors need fewer tools to target networks and can thereby cast a wider net with less work.
Alternatively, cyber criminals with resources are completely rewriting existing malware in new languages, as opposed to just wrappers and loaders. Researchers suggested that in order to catch these multi-language malware families, software engineers and threat researchers will stand a better chance if they employ dynamic or behavioural signatures, that tag behaviour via sandbox output, or endpoint detection and response (EDR), or log data.
Neuways advises that as it will take time for malware sample analysis tools to catch up to these new languages, it’s imperative for businesses to remain proactive in the defence against malware written in new code. It is critical that industries and businesses understand and keep tabs on these trends, as they are only going to increase in the meantime.
Microsoft rushing fix through for new flaw
Microsoft was quick to respond with a fix to an attack named, “PetitPotam”, which could force remote Windows systems to reveal password hashes that could be easily cracked. To thwart an attack, Microsoft recommends system administrators to immediately stop using the now deprecated Windows NT LAN Manager (NTLM).
Researchers recently identified the bug and published proof-of-concept (PoC) exploit code to demonstrate the attack. Microsoft followed this up by issuing an advisory with a workaround to protect systems.
The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). This protocol allows Windows systems to access remote encrypted data stores, which means data management is policed while enforcing access control policies.
The PetitPotam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. An attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface – this forces the targeted computer to initiate an authentication procedure and share these authentication details via NTLM. The NTLM protocol is an insufficient authentication protocol that’s used to relay authentication details and hashed passwords which can be scooped up by an attacker and later cracked offline with minimal effort.
A PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality. An attacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol and then relaying the DC [domain controller] NTLM credentials to the Active Directory Certificate Services AD CS Web Enrolment pages to enrol a DC certificate. This will effectively give the attacker an authentication certificate that can be used to access domain services as a DC and compromise the entire domain.
In response to the public availability of the PoC, Microsoft was quick to respond. To begin with, Microsoft recommends disabling NTLM authentication on Windows domain controllers, as well as enabling the Extended Protection for Authentication (EPA) feature on AD CS services. Microsoft also added that companies are vulnerable to a PetitPotam attack if NTLM authentication is enabled in their domains and/or they’re using AD CS with the services “Certificate Authority Web Enrollment” and “Certificate Enrolment Web Service.” Neuways recommends following these tactics to ensure you avoid any issues.
Researchers advise a simple technique to evade hackers…turn it off and on again!
Researchers have advised a simple technique for smartphone users to keep their devices secure.
Step one: Turn off phone.
Step two: Turn it back on.
As there is lots of widespread digital insecurity at the moment, it turns out that the oldest and simplest computer fix there is — turning a device off then back on again — can thwart hackers from stealing information from smartphones. While regularly re-booting phones won’t stop the army of cyber criminals that have caused chaos and doubt about the ability to keep any information safe and private in our digital lives. But it can make even the most sophisticated hackers have to work harder to maintain access to and steal data from a phone.
By re-booting a phone once a week, users will be protecting themselves further from hackers. While the number of people whose phones are hacked each year is unknown, evidence suggests it’s significant. A recent investigation into phone hacking by a global media consortium has caused political uproars in France, India, Hungary and elsewhere after researchers found scores of journalists, human rights activists and politicians on a leaked list of what were believed to be potential targets of an Israeli hacker-for-hire company.
The advice to periodically reboot a phone reflects, in part, a change in how cyber criminals are gaining access to mobile devices and the rise of so-called “zero-click” exploits that work without any user interaction instead of trying to get users to open an attachment or hyperlink that’s secretly infected.
Typically, once hackers gain access to a device or network, they look for ways to persist in the system by installing malicious software to a computer’s root file system. Improvements in the likes of Apple and Google’s security, however, has prevented most malware from reaching the core operating systems. This encourages hackers to opt for “in-memory payloads”. These are harder to detect and trace back to whoever sent them, but, crucially, such hacks can’t survive a reboot. Cyber criminals realise this and understand that all they need to do is carry out a one-time pull, which allows them to exfiltrate all the victim’s chat messages, contacts and passwords.
The advice admits that re-booting a phone works only sometimes. It really depends on the method that the cyber criminals are using to try and hack a smartphone. An even simpler piece of advice to ensure hackers aren’t secretly turning on your phone’s camera or microphone to record you is to not carry it with you at all!