Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

cost of ransomware, downtime, BCDR

Kaseya software flaw affects customers around the world

Cyber criminals are affecting businesses all around the world by targeting IT software supplier, Kaseya. The criminals have spread through Kaseya’s corporate network and are causing downtime at many businesses across many different industries. The Russia-linked REvil ransomware gang have claimed responsibility and are demanding victims pay £50 MILLION in bitcoin in return for all of their files to be decrypted.

The organisations affected include supermarkets, schools, technology and manufacturing companies. While the details surrounding the attack aren’t yet clear, it appears the attackers entered via a secret backdoor into the Kaseya network. The IT provider was working with researchers to help fix the known issue, long before cyber criminals took advantage to cause havoc. The UK Cyber Security Centre have called the attack “unprecedented” and have said that due to many businesses typically paying much smaller ransoms, this has led ransomware gangs to being able to step up and increase their criminal operations.

More worryingly, is that despite around only 40 of Kaseya’s customers being affected by the attack, the total number of businesses impacted is thought to be around 200. This is due to the ability of the hackers to escalate their privileges and move laterally within corporate networks, as well as gaining access to the supplier and customer lists of those affected. This has led to a sustained period of attacks, with supermarkets having to close and businesses losing thousands, if not hundreds of thousands of pounds, in downtime.

So not only are those victims in this latest attack at risk of having their business data published publicly, if they do not pay the ransom, but they are losing money with every passing hour they cannot continue to operate smoothly. Neuways advises several ways to avoid the long-term effects of phishing campaigns. Not only is Phishing Awareness Training a necessity for businesses, to ensure that staff of a business know what to look for when it comes to spotting potential cyber crime, but having a Business Continuity and Disaster Recovery plan in place ensures that should you fall victim to a phishing scam, your business will be able to continue working. With backups put in place across different locations, in the event of a cyber attack recent company data can be easily accessed and put into action, ready for the business to continue operating.

Contact Neuways today to discuss the benefits a Business Continuity and Disaster Recovery plan could bring to your business. Call 01283 753 333 or email hello@neuways.com.

Over ONE BILLION LinkedIn users have data stolen by hackers

Business network LinkedIn has been bombarded by data-scraping operations, with evidence having popped up in a popular hacker forum that the vast amount of lifted data is being collated and refined to identify specific targets.

The latest data scrape was recently discovered when cyber criminals posted the personal data contained in some 700 million LinkedIn user profiles on the Dark Web. Later, the operators boosted the listing to a purported 1 billion records, according to researchers, after a further data scrape followed an April operation which exposed around 500 million LinkedIn users. The result leaves a total of at least 1.2 billion records and maybe more — personal and professional — out there just waiting to be turned against users in future phishing, ransomware, display-name spoofing or other attacks.

Recently, a database filled with the personal information of 88,000 business owners gleaned from the latest LinkedIn data scrape was shared. The data included full names, email addresses, work details and any other information publicly listed on LinkedIn. While LinkedIn have acknowledged the abuse of its user’s data, they point out it isn’t technically a breach since the information was public:

“Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed. We want to be clear that scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”

Accountability is important for future prevention, but once the data is scraped, organised and released there is little that can be done to put the genie back in the bottle. Data scraping is the process of extracting data from websites without the explicit permission of the individual whose data is being scraped. It is often dangerous, because it leaves users’ personal identifiable information (PII) vulnerable and can lead to compromise of the individual’s privacy. As mentioned, data scraping can open doors for cyber criminals and hackers to use this data to spearhead further cyber attacks and can give hackers the ability to perpetrate very effective spear-phishing attacks.

LinkedIn isn’t the only social media network to suffer. In April, it was revealed the data of more than 533 million Facebook users was scraped in Sept. 2019. But LinkedIn’s public data is more valuable to threat actors, as the links to compromising business networks are more fruitful for cyber criminals. Job title and current employer are especially maintained, if this information can be scraped at scale, you can determine where everyone works and where everyone sits in the organisation chart. That information can help attackers collect vast amounts of information on how a business operates — and can go on to exploit it.

The worst-case scenario is that these massive troves of data are being aggregated and used by threat actors to make their attacks more personalised and potent, which is what appears to be happening to the lifted LinkedIn profile data of those 88,000 business owners whose data was just released into the cyber crime ecosystem.

Neuways advises users to protect themselves from data-scraping originating attacks by keeping their personal identifiable information off social media, enabling multi-factor authentication (MFA) on their accounts and remaining vigilant about identifying potentially malicious communications, including texts, email, voice messages and in-platform messaging services.

Cyber criminals using legitimate tool to spread ransomware

The use of Cobalt Strike – a legitimate tool used by network penetration testers – by cyber criminals has surged, according to researchers, who say that the tool has now gone “fully mainstream in the crime world.”

The researchers have tracked a year-on-year increase of 161% in the number of real-world attacks where Cobalt Strike has appeared. They’ve witnessed the tool being used to target tens of thousands of organisations, wielded by more cyber criminals and general-commodity malware operators.

Cobalt Strike sends out beacons to detect network vulnerabilities. When used as intended, it simulates an attack, but the cyber criminals have figured out how to turn it against networks to exfiltrate data, deliver malware and create fake command-and-control (C2) profiles that look legitimate and evade detection filters.

When it comes to how threat actors are attempting to compromise hosts, Cobalt Strike is increasingly being used as an initial access payload, as opposed to being a second-stage tool that’s used after attackers have gained access, researchers found. In fact, “the bulk” of Cobalt Strike campaigns in 2020 were pulled off by cyber criminals. Cobalt Strike Beacon was even one of the many tools used as part of the vast malware arsenal in the sprawling SolarWinds supply-chain attacks. In January, researchers unmasked a piece of SolarWinds-related malware, dubbed Raindrop, used in targeted attacks after the effort’s initial mass Sunburst compromise. Researchers identified Raindrop – a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks – as one of the tools used for follow-on attacks.

The tool has been around since 2012, while researchers have noted its use in cyber attacks since 2016. The majority of Cobalt Strike campaigns that hit between 2016 and 2018 were the type of well-resourced cybercrime gangs or APT groups. But that ratio dropped over the following years, when just 15% of Cobalt Strike campaigns were attributed to known threat actors.

However, cyber criminals can buy a version of Cobalt Strike on the Dark Web/hacking forums – or they can get their hands on cracked, illegitimate versions of the software. In March 2020, one such cracked version of Cobalt Strike 4.0 was made available to threat actors. A one-year license for the cracked version was reportedly selling for around £30,000.

The Cobalt Strike campaigns are as diverse as the operators who run them, employing a variety of lures, threat types, droppers, payloads, attack paths and use cases. While the use of the tool as an initial payload has spiked, it’s also still popular as a second-stage payload as well. It’s been used alongside malware such as The Trick, BazaLoader, Ursnif, IcedID, and many more popular loaders, researchers wrote, when the first malware that sneaks in the door typically loads and executes Cobalt Strike.

Besides network discovery and credentials dumping, Cobalt Strike Beacon can also jack up privileges, load and execute additional tools, and inject these functions into existing running host processes as it tries to evade detection.

Neuways advises users to beware of any communications from Cobalt Strike, or services such as Dropbox or Google Drive, that they are not aware of nor expecting. As cyber criminals alter their tactics, expect further different types of cyber attacks to be sent to businesses, as they try to dupe victims into giving them access to their corporate networks.

Windows 7 Extended Support

Critical Windows Print Spooler Bug spreading via Microsoft exploit

A proof-of-concept for a critical Windows security vulnerability that allows remote code execution (RCE) has been discovered. A fix was initially provided within a few hours, before the code was copied and re-distributed.

The bug (CVE-2021-1675) exists in the Windows Print Spooler and has been dubbed “PrintNightmare” by researchers. It was originally addressed in June’s Patch Tuesday updates from Microsoft as a minor elevation-of-privilege vulnerability, but the listing was updated last week after researchers realised it could be used for RCE.

Researchers said: “There are 40 entries in Microsoft’s list of affected products, from Windows 7 to Windows 10 and from Server 2008 to Server 2019. Given this broad surface, it is likely that this vulnerability will become an element in the tool chain of current malware families.”

Successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. However, to achieve that requires a targeted user to be authenticated to the Windows Print Spooler service. Based on the information available, an attacker with a low-level user account could exploit this vulnerability, before pivoting to other areas of the target network.

Microsoft updated its advisory to note the potential for RCE, but didn’t update the CVSS rating, despite noting that exploitation would require “low complexity.” For their part, researchers are treating PrintNightmare as having “critical” status.

Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets. Another recent vulnerability, CVE-2020-1337, was a zero-day disclosed last year, which happened to be a patch bypass for CVE-2020-1048, with another Windows Print Spooler vulnerability that was patched in May 2020. Since the proof-of-concept code has leaked online in various locations, researchers expect this vulnerability to be wrapped up soon.

While the current Microsoft-issued patch may not be completely effective, actions can be taken, such as taking Print Spooler offline. Another point of interest is that most endpoints will be safe from this attack with the built-in Windows Firewall default rules.

Neuways wishes to advise its customers that it is deploying a Microsoft out-of-band patch that has just been released to prevent the issue causing any damage. If you have are not a Neuways customer, please contact your Managed Service Provider to discuss whether or not you are protected from this dangerous vulnerability.

WhatsApp users warned to stay vigilant as number of hacked accounts increases

WhatsApp users have been warned of communications they receive from the service, as fraudsters attempt to steal their accounts. Many users have been receiving verification codes sent via SMS – despite not having requested the code.

Whenever someone tries to register a WhatsApp account on a mobile phone they give WhatsApp a legitimate phone number. The SMS verification code is then sent to the mobile phone number that has been registered, to verify that the number is active and that the user trying to register the account really owns the number.

The worry is that cyber criminals contact WhatsApp users and ask them to forward the six-digit verification code that has just been sent to their phone. They often masquerade as WhatsApp customer service staff to try and dupe the victims into giving away access to their accounts.

WhatsApp’s website warns of keeping verification codes top secret, and that they would never require a user to give it to them: “You should never share your WhatsApp verification code with others. If someone is trying to take over your account, they need the SMS verification code sent to your phone number to do so. Without this code, any user attempting to verify your number can’t complete the verification process and use your phone number on WhatsApp. This means you remain in control of your WhatsApp account.”

Of course, if someone does gain access to your WhatsApp account, then they will be able to view any future messages you receive, and pretend to be you.

WhatsApp says that for this reason you should never share your verification code with anyone, even if they are friends or family: “If you suspect someone else is using your WhatsApp account, you should notify family and friends as this individual could impersonate you in chats and groups. Please note, WhatsApp is end-to-end encrypted and messages are stored on your device, so someone accessing your account on another device can’t read your past conversations.”

For a higher level of security on WhatsApp, you are advised to also enable multi-factor authentication (MFA). This adds an extra layer of security and makes it even less likely cyber criminals will be able to break into your account. WhatsApp also advises users who are worried about their safety to restrict who can view their profile photo, and be wary of transferring money with contacts before confirming their identity.

WhatsApp offers further advice on how to recover your account if it has been stolen from you, with recommendations that you log out of all computers from your phone if you still believe someone might be using your account via WhatsApp Web/Desktop.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.