Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Cyber Weekly Flash Briefing for 07 February 2020 – Corononavirus phishing, financial malware keylogger trick, remote workers, Cisco critical vulns, Mirai botnet holds up

Cyber Weekly Flash Briefing for 07 February 2020 – Corononavirus phishing, financial malware keylogger trick, remote workers, Cisco critical vulns, Mirai botnet holds up

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.


Coronavirus Scams: Prepare for Phishing Emails, Fake Alerts and Cyberthreats

As new global stories emerge by the hour on the coronavirus, bad actors are (again) trying to confuse online updates with phishing scams and destructive malware. Here’s why action is required now.

Wherever you turn for news coverage online, coronavirus alarm bells are ringing louder.

But users should not trust all of those bells, as fake news, phishing scams and even malicious malware is actively being distributed under the coronavirus umbrella.  

Sadly, a perfect storm may be brewing. As government officials and health experts appeal louder for calm, the public is actually getting more worried and searching the Internet for answers.

Read the original article here: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/coronavirus-scams-prepare-for-a-deluge-of-phishing-emails-fake-alerts-and-cyberthreats.html

Metamorfo Returns with Keylogger Trick to Target Financial Firms

The malware uses a tactic to force victims to retype passwords into their systems – which it tracks via a keylogger.

Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Now, however, it’s expanding its geographic range and adding a new technique.

Metamorfo was first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray and pray” spam tactics). These campaigns however have small, “morphing” differences — which is the meaning behind its name.

This newest variant, which targets payment-card data and credentials at financial institutions with Windows platforms, packs a new trick up its sleeve. Once executed, the malware kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger.

Read more here: https://threatpost.com/metamorfo-variant-keylogger-financial/152640/

What's in your network? Shadow IT and shadow IoT challenge technology sensibilities

A couple of years ago, a survey found most CIOs thought they had roughly 30 to 40 apps running within their enterprises, but researchers at Symantec estimated that the average enterprise actually had at least 1,516 applications -- a number that has doubled over a three-year period.

It's not that CIOs are naive. It's just that shadow IT is a difficult thing to measure, since employees pull down apps outside the official channels, and off budget sheets. To some degree, it's even purposely overlooked, condoned, or even encouraged, as employees need the right tools to do their jobs, and IT can't always be there.

Now, it appears CIOs are battling shadow IT on two fronts. There's the user-initiated apps and clouds, and there's something more insidious -- "shadow IoT."

More here: https://www.zdnet.com/article/shadow-it-and-now-shadow-iot-challenge-technology-leaders/


Remote workers prime targets for cyber attacks

According to a study into the future of work, more than half of CIOs expect a rise in employees working remotely, while 97% say that soon their workforce will be widely dispersed across geographies and time zones. Businesses are being forced to adapt to the rising demand for a dynamic working environment, which can manifest as anything from workers bringing their own devices to work to employees using corporate machines at home as part of a flexible work schedule. However, this increases the security burden through the need for better identity management.

Read the full article here: https://www.techradar.com/news/remote-workers-prime-targets-for-cyber-attacks

Critical Cisco vulnerabilities put millions of network devices at risk

Five different critical vulnerabilities, collectively known as CPDwn, have been discovered in Cisco’s Discovery Protocol, potentially putting tens of millions of enterprise network devices such as desk phones, cameras, and network switches, at risk.

Cisco Discovery Protocol (CDP) is a level 2 protocol that is used to discover information about Cisco equipment that are directly connected nearby.

According to researchers, this flaw could allow hackers to control the products deep within the network without any human intervention. This could be done remotely by just sending a malicious CDP packet to the target device.

Read more: https://www.techradar.com/news/critical-cisco-vulnerabilities-put-millions-of-network-devices-at-risk


This latest phishing scam is spreading fake invoices loaded with malware - campaigns are launched against financial institutions in the US and UK.

A notorious malware campaign is targeting banks and financial institutions in the US and the UK with cyberattacks that are not only destructive in their own right, but could also be used as the basis for future intrusions by other hackers.

Emotet started life as a banking trojan, but has also evolved into a botnet, with its criminal operators leasing out its capabilities to those who want to distribute their own malware to compromise machines.

Such is the power of Emotet that at one point last year it accounted for almost two-thirds of malicious payloads delivered in phishing attacks.

Emotet activity appeared to decline during December, but it sprung back to life in January – and it currently shows no signs of slowing down as researchers have detailed yet another campaign.

Read more here: https://www.zdnet.com/article/this-latest-phishing-scam-is-spreading-fake-invoices-loaded-with-malware/


90% of UK Data Breaches Due to Human Error in 2019

Human error caused 90% of cyber data breaches in 2019, according to a CybSafe analysis of data from the UK Information Commissioner’s Office (ICO).

According to the cybersecurity awareness and data analysis firm, nine out of 10 of the 2376 cyber-breaches reported to the ICO last year were caused by mistakes made by end-users. This marked an increase from the previous two years, when respectively, 61% and 87% of cyber-breaches were ascribed to user error.

CybSafe cited phishing as the primary cause of breaches in 2019, accounting for 45% of all reports to the ICO. ‘Unauthorized access’ was the next most common cause of cyber-breaches in 2019, with reports relating to malware or ransomware, hardware/software misconfiguration and brute force password attacks also noted.

Read the full article here: https://www.infosecurity-magazine.com/news/90-data-breaches-human-error/

Police Warning: Cyber Criminals Are Using Cleaners to Hack Your Business

Criminal gangs are planting “sleepers” in cleaning companies so that they can physically access IT infrastructure, a senior police officer with responsibility for cyber crime has warned, urging businesses to bolster their physical security processes in the face of the growing threat.

Shelton Newsham, who manages the Yorkshire and Humber Regional Cyber Crime Team, told an audience at the SINET security event that he was seeing a “much larger increase in physical breaches” as cyber crime groups diversify how they attack and move laterally inside institutions.

Read more here: https://www.cbronline.com/cybersecurity/threats/cyber-criminals-cleaners/


The Mirai IoT botnet holds strong in 2020

The Mirai botnet has been a constant IoT security threat since it emerged in fall 2016. The subsequent release of its source code only extended Mirai's reach and is one of the many reasons it has been labelled the "king of IoT malware."

Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search. Such devices listen for inbound telnet access on certain ports and have backdoors through which Mirai can enter. Once a device is subsumed in the botnet it immediately scans for other victims.

Read the original article here: https://searchsecurity.techtarget.com/feature/The-Mirai-IoT-botnet-holds-strong-in-2020


Governments Are Soft Targets for Cyber-criminals

New research has found that governments are more vulnerable to cyber-attacks than other organisations.

A report on the security of municipal governments and agencies identified three key factors that made governments particularly soft targets. Researchers found that governments had larger attack surfaces, lower usage rates of even the most basic email authentication schemes, and much higher rates of internal hosting than other organisations.

Government attack surfaces, consisting of open ports and applications, were found to be on average 33% larger than those risked by other organisations.

Read more here: https://www.infosecurity-magazine.com/news/governments-are-soft-targets-for/

BYO Hardware Driver: New Ransomware Attacks Kernel Memory and brings its own vulnerability

A ransomware strain dubbed “RobbinHood” is using a vulnerability in a “legitimate” and signed hardware driver to delete security products from targeted computers before encrypting users files, according to security researchers.

The ransomware exploits a known vulnerability in the driver from Taiwan’s GIGABYTE to subvert a setting in kernel memory in Windows 10, 8 and 7, meaning it “brings its own vulnerability” and can attack otherwise patched systems.

Read more here: https://www.cbronline.com/cybersecurity/threats/robbinhood-ransomware-gigabyte-driver/


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More