Cyber Weekly Flash Briefing 01 May 2020 – 50% of users feel vulnerable WFH, yet many have had no infosec training in last year, spear-phishing compromises execs in 150+ companies, Sophos zero-day
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second video version:
Half of remote workers feel vulnerable to growing cyber attacks
New research has revealed that almost half (49%) of employees working remotely feel vulnerable online due to the insecurity of the company laptops and PCs they are using to connect to corporate networks.
1,550 UK employees working from home during the pandemic were surveyed to better understand the security issues they've faced while working remotely.
The survey found that 42 percent of respondents received suspicious emails while 18 percent have dealt with a security breach while working from home. Of those who suffered a cyberattack, over half (51%) believed it was because they clicked on a malicious link and 18 percent believed an infected attachment was responsible.
Additionally, 42 percent of respondents reported that someone else in their household had experienced a hack of their social media accounts during the lockdown.
Read more here: https://www.techradar.com/news/half-of-remote-workers-feel-vulnerable-to-growing-cyberattacks
Many remote workers given no cyber security training
Two in three remote workers have not received any cyber security training in the past 12 months, according to a new report.
Based on a poll of 2,000 remote workers in the UK, the report states that more than three quarters (77 percent) are unconcerned about cyber security. Further, more than six in ten said they use personal devices when working from home, which poses a distinct threat to business data.
The report highlights the dangers associated with working from home and the fact cyber criminals are capitalising on the coronavirus outbreak to infect unwitting victims with malware.
With most businesses transitioning to remote working in response to lockdown measures, IT and security teams have been left with a network of unsecured, often naive workers who are easy prey for various forms of attack - especially phishing.
Read the full article here: https://www.itproportal.com/news/many-remote-workers-given-no-cybersecurity-training/
Spear-phishing campaign compromises executives at 150+ companies
A cyber crime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today.
The group, codenamed PerSwaysion, appears to have targeted the financial sector primarily, which accounted for more than half of its victims; although, victims have been recorded at companies active across other verticals as well.
PerSwaysion operations were not sophisticated, but have been extremely successful, nonetheless. Group-IB says the hackers didn't use vulnerabilities or malware in their attacks but instead relied on a classic spear-phishing technique.
They sent boobytrapped emails to executives at targeted companies in the hope of tricking high-ranking executives into entering Office 365 credentials on fake login pages.
Read the full article here: https://www.zdnet.com/article/spear-phishing-campaign-compromises-executives-at-150-companies/
Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway
Just because ransomware attackers haven't threatened to leak your company's data, it doesn't mean they haven't stolen it, Microsoft warns.
And human-operated ransomware gangs – typically associated with multi-million dollar ransom demands – haven't halted activity during the global coronavirus pandemic.
In fact, they launched more of the file-encrypting malware on target networks in the first two weeks of April than in earlier periods, causing chaos at aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, according to Microsoft.
Google Confirms New Security Threat For 2 Billion Chrome Users
Google has warned of yet more security vulnerabilities in Chrome 81, which was only launched three weeks ago.
Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.
These popular antivirus tools share a major security flaw
More than two dozen popular antivirus solutions contain a flaw that could enable hackers to delete files, trigger crashes and install malware, according to a new report.
Popular antivirus solutions such as Microsoft Defender, McAfee Endpoint Security and Malwarebytes all feature the bug, which is described as “trivial” to abuse.
The report refers to the shared vulnerability as “symlink race” – the use of symbolic links and directory junctions to link malicious files to legitimate counterparts. This all occurs in the short space of time between an antivirus scanning and deleting a file.
"Make no mistake about it, exploiting these flaws was pretty trivial and seasoned malware authors will have no problem weaponising the tactics outlined in this blog post," said the report.
Read more: https://www.itproportal.com/news/these-popular-antivirus-tools-could-have-major-security-flaws/
Hackers are exploiting a Sophos firewall zero-day
Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.
Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."
After investigating the report, Sophos determined this was an active attack and not an error in its product.
Read more: https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
This sophisticated new Android trojan threatens hundreds of financial apps
Researchers have discovered a sophisticated new Android trojan that bypasses security measures and scrapes data from financial applications.
First identified in March, the EventBot banking trojan abuses Android’s accessibility features to harvest financial data and intercept SMS messages, allowing the malware to circumvent two-factor authentication.
According to the firm responsible for the discovery, EventBot targets over 200 financial applications, spanning banking, money transfer and cryptocurrency wallet services.
Affected applications include those operated by major players such as HSBC, Barclays, Revolut, Paypal and TransferWise - but many more are thought to be at risk.
Microsoft Office 365: US issues security alert over rushed remote deployments
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic.
CISA warns that it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have lead to important security configuration oversights that could be exploited by attackers.
"In recent weeks, organizations have been forced to change their collaboration methods to support a full 'work from home' workforce," CISA notes in the new alert.
Financial sector is seeing more credential stuffing than DDoS attacks
The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years according to a report published this week.
Statistics about attacks carried out against banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (Saas).
The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical.
The report states that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019. This includes all the ATO variations such as:
· Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account
· Credential stuffing - attackers try username/password pairs leaked at other sites
· Password spraying - attackers try the same password, but against different usernames
Read more here: https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/
This buggy WordPress plugin allows hackers to lace websites with malicious code
Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.
The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.
The exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.
Read more here: https://www.techradar.com/news/this-buggy-wordpress-plugin-allows-hackers-to-lace-websites-with-malicious-code
Zoom Gets Stuffed: Here’s How Hackers Got Hold Of 500,000 Passwords
At the start of April, the news broke that 500,000 stolen Zoom passwords were up for sale. Here's how the hackers got hold of them.
More than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums earlier this month. Some were given away for free while others were sold for as low as a penny each.
Researchers at a threat intelligence provider obtained multiple databases containing Zoom credentials and got to work analysing exactly how the hackers got hold of them in the first place.
Read more here: https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/#6586d7be5cdc
Sophisticated Android Spyware Attack Spreads via Google Play
The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia — and could be the work of the OceanLotus APT.
A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.
Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.
The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.
Read more here: https://threatpost.com/sophisticated-android-spyware-google-play/155202/
Skype phishing attack targets remote workers
Remote workers have been warned to take extra care when using video conferencing software after a new phishing scam was uncovered.
Researchers from a security firm have revealed hackers are using emails pretending to be from Skype, the popular Microsoft-owned video calling tool, in order to trick home workers into handing over their login details.
Criminals could then use these logins to access corporate networks to spread malware or steal valuable information.
Read more here: https://www.techradar.com/news/skype-phishing-attack-targets-remote-workers