Cyber Weekly Flash Brief 08 May 2020: Predatory Cyber Criminals & Hostile States Target Uk, Ransomware Payments Up, New Phishing Attack, Remote Accounts Attacked, Legal Docs Exposed, Samsung Vulns
If you’re pressed for time watch the 60 second quick fire summary of the top cyber and infosec stories from the last week:
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Coronavirus: ‘Predatory’ cyber criminals and hostile states targeting UK citizens and institutions, Dominic Raab warns UK
Dominic Raab has warned that “predatory” cyber criminals and hostile states are seeking to exploit the coronavirus pandemic, saying that UK citizens, businesses and institutions will be targeted for weeks and months ahead.
His remarks follow a joint warning from cyber security agencies in Britain and the US, urging healthcare and medical research staff to improve their password security to prevent criminals exploiting the crisis further.
Speaking at No 10 earlier in the week, Mr Raab said that while the vast majority of people and countries had rallied together, “there will always be some who seek to exploit a crisis for their own criminal and hostile ends”.
The foreign secretary said he was aware that cyber criminals and “other malicious groups” are targeting individuals and organisations in the UK by deploying Covid-19 related scams and phishing emails.
“That includes groups that in the cyber security world are known as advanced persistent threat (APT) groups – sophisticated groups of hackers who try to breach computer systems,” he said.
“We have clear evidence now that these criminal gangs are actively targeting national and international organisations which are responding to the Covid-19 pandemic, which I have to say makes them particular dangers and venal at this time.”
Read the full article here: https://www.independent.co.uk/news/uk/politics/coronavirus-cyber-crime-hack-business-dominic-raab-a9500316.html
New phishing attack targeting Microsoft Teams users aims to steal Office 365 credentials
Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.
The specifics of the attack suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “sharepointonline-irs.com” domain, something that is misleading and one that is not owned by Microsoft.
Read more here: https://www.neowin.net/news/new-phishing-attack-targeting-microsoft-teams-users-aims-to-steal-office-365-credentials
Ransomware Payments Surge 33% as Attacks Target Remote Access
The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organisations struggled to mitigate remote working threats.
A security vendor analysed ransomware cases handled by its own incident response team during the period to compile its latest findings.
It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.
Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.
Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.
Read the full article here: https://www.infosecurity-magazine.com/news/ransomware-payments-surge-33/
Millions of remote desktop accounts attacked every week
Since the start of the outbreak, we've seen cyber criminals target Zoom and spread coronavirus-related phishing campaigns, in a bid to take advantage of the increase in remote working.
Now, new research suggests criminals are also targeting employees reliant on Microsoft's proprietary Remote Desktop Protocol (RDP) with far greater regularity.
According to this new report, hundreds of thousands of employees use RDP as a way to remotely connect to their office computer with the same privileges they would have on site.
However, RDP is also an enticing target for criminals, who are reportedly bombarding the service with brute-force attacks in a bid to gain entry.
Prior to the coronavirus pandemic, researchers typically recorded around 100,000–150,000 attacks of this kind per day, but that number has shot up to almost a million.
Read more: https://www.itproportal.com/news/millions-of-remote-desktop-accounts-are-being-attacked-ever-week/
This phishing campaign targets executives with fake emails from their phone provider
A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.
Uncovered by researchers, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.
The security company said the spoof mail had been sent to "a few executives, including one at a leading financial firm".
The messages come with the vague subject 'View Bill – Error – Message' and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.
Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there's also some elements of the phishing email that should act as a warning that all is not right.
Read more here: https://www.zdnet.com/article/this-phishing-campaign-targets-executives-with-fake-emails-from-their-phone-provider/
This ransomware spreads across hundreds of devices in no time at all
The LockBit ransomware contains a feature that allows attackers to encrypt hundreds of devices in just a few hours once they've breached a corporate network.
LockBit is a fairly new Ransomware-as-a-Service (RaaS) that was launched in September of last year. The developers of the ransomware are in charge of maintaining its payment site and updates while affiliates sign up to distribute the malware. LockBit's developers then earn around 25-40 percent of the ransom payments received while the affiliates earn a slightly larger share at 60-75 percent.
Researchers have published a report revealing how a LockBit ransomware affiliate hacked into a corporate network and encrypted 25 servers and 255 workstations in just three hours.
The hackers began their attack by brute-forcing an administrator account through an outdated VPN service. This gave them the administrative credentials they needed in order to deploy the LockBit ransomware on the network.
Read more: https://www.techradar.com/news/this-ransomware-spreads-across-hundreds-of-devices-in-no-time-at-all
Data security flaw exposes details of thousands of legal documents
A data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years in an online database, potentially affecting the clients of about 190 law firms.
The cache of documents, which included Companies House property transaction forms containing authentication details such as email addresses and passwords, had been scanned and uploaded by legal firms — including three of the “magic circle” — using a product from Advanced Computer Software, Britain’s third-largest software company.
Advanced, said in a statement: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.”
Leaving a security hole open for an extended period of time exposing authentication and other details was serious.
Though the exposure of legal documents is of a different scale to recent incidents — including at Virgin Media and British Airways — involving much larger customer databases, the inclusion of authentication information raised concerns about the potential impact if the exposed data fell into the wrong hands.
Read more here: https://www.ft.com/content/e0d6b6b7-825f-4102-b78f-204e1be205b6
Vulnerabilities in two VPNs opened door to fake, malicious updates
Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.
Attackers can intercept VPN communications and force the apps to download fake updates according to the researchers who discovered the flaws.
The researchers stated they were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – have a lot of users trusting these tools to provide them with more security and privacy, not less.
Read more here: https://www.scmagazine.com/home/security-news/vulnerabilities-in-two-vpns-opened-door-to-fake-malicious-updates/
Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected
The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.
A hacker group tried to hijack 900,000 WordPress sites over the last week
A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued this week.
Since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic being tracked.
The group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites.
The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.
Read the full article here: https://www.zdnet.com/article/a-hacker-group-tried-to-hijack-900000-wordpress-sites-over-the-last-week/
Popular adult streaming site just accidentally outed millions of users
Adult live streaming platform CAM4 has suffered a massive data breach, exposing the identity of millions of its users.
Discovered by security researchers, the breach was caused by a server configuration error that made 7TB of user data (comprising 10.88 billion records in total) easily discoverable online.
While the misconfigured ElasticSearch database did not betray users’ specific sexual preferences, it did include personally identifiable information including names, email addresses, payment details, chat logs and sexual orientation.
The popular adult platform is used primarily by amateur webcam models to stream explicit content to live audiences. To gain access to premium content or tip performers, users must first register with the site - parting ways with both personal and financial data.
Read more here: https://www.techradar.com/news/this-popular-adult-streaming-site-accidentally-outed-millions-of-users
Hacker Group Selling Databases With Millions Of User Credentials Busted In Poland And Switzerland
Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud.
On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of the hacking group InfinityBlack. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100 000. Two platforms with databases containing over 170 million entries were closed down by the police.
The hacking group created online platforms to sell user login credentials known as ‘combos’. The group was efficiently organised into three defined teams. Developers created tools to test the quality of the stolen databases, while testers analysed the suitability of authorisation data. Project managers then distributed subscriptions against cryptocurrency payments.
The hacking group’s main source of revenue came from stealing loyalty scheme login credentials and selling them on to other, less technical criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.
Read more here: https://www.europol.europa.eu/newsroom/news/hacker-group-selling-databases-millions-of-user-credentials-busted-in-poland-and-switzerland