Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
More coronavirus phishing campaigns detected
Caution required when accessing coronavirus-related emails.
Cybercriminals often use major global events to spread malware and steal data, and the recent coronavirus outbreak is no different.
Security experts have identified two phishing campaigns that take advantage of coronavirus concerns to infect devices with the Agent Tesla keylogger.
According to the report, cybercriminals are distributing emails that appear to originate from The Centre for Disease Control (CDC) or the World Health Organisation (WHO). The emails claim the virus is now airborne and that new cases have been confirmed in the victim’s vicinity.
Attached to the messages is a file named "SAFETY PRECAUTIONS", which looks like an Excel document, but is in fact an executable file (.exe) capable of sowing the trojan.
More here: https://www.itproportal.com/news/more-coronavirus-phishing-campaigns-detected/
How coronavirus COVID-19 is accelerating the future of work
The coronavirus is forcing enterprises to rethink the way they do business and dust off policies for security, business continuity, and remote workers. Chances are that some of these efforts will stick
The coronavirus outbreak may speed up the evolution of work and ultimately retool multiple industries as everything from conferences to collaboration to sales and commercial real estate are rethought.
Read the original article here: https://www.zdnet.com/article/how-coronavirus-may-accelerate-the-future-of-work/
Millions of UK businesses experience data breaches due to employee error
Employees often click on fraudulent links and can't spot a phishing email.
Employee error is the cause of 60 percent of all data breaches among UK businesses according to a new report from insurance broker Gallagher.
Polling 1,000 UK business leaders, Gallagher found the most common cause (39 percent) of employee-related breaches was malware downloaded accidentally via fraudulent links.
Phishing is also a major risk factor, responsible for 35 percent of infections. While employees pushing sensitive data outside company systems accounted for a further 28 percent.
The report also claims that almost a third of affected businesses (30 percent) have had their operations knocked out for four to five days as a result of employee error.
Respondents also reported reputational damage (14 percent) and financial consequences (12 percent), which included fines issued by data privacy regulators.
Most executives (71 percent) are aware of the problem and almost two thirds (64 percent) said they regularly remind employees about the risk of cyber crime.
Virtually all businesses are at risk of a cyber attack and as this research shows, it is often an employee mistake which causes the problem.
AMD processors going back to 2011 suffer from worrying security holes
Pair of freshly revealed attacks have not yet been patched
AMD’s processors from as early as 2011 through to 2019 are carrying vulnerabilities that are as yet unpatched, according to some freshly published research.
Known as ‘Take A Way’ (every security problem needs a snappy name, of course), security researchers said that they reverse-engineered the L1D cache way predictor in AMD silicon in order to discover two new potential attack vectors.
Given all the attention which has been focused on the flaws in Intel’s CPUs in recent times – vulnerabilities which haven’t affected AMD chips in a number of cases – this might just serve as a reminder that no one’s silicon is bulletproof.
More here: https://www.techradar.com/news/amd-processors-going-back-to-2011-suffer-from-worrying-security-holes
F-Secure reports a steep rise in hacking attempts
The latest Attack landscape H2 2019 report from F-Secure has found that there has been a jump in the volume of cyber attacks targeting internet users
In the report, F-Secure said that in the first half of 2019, the company’s global network of honeypots experienced a jump in cyber attack traffic.
The volume of such attacks rose from 246 million in H1 2017 to 2.9 billion in H1 2019. In the second half of the year, according to F-Secure, the pace of attack traffic continued but at a slightly reduced rate. F-Secure said there were 2.8 billion hits to its honeypot servers in H2 2019. Distributed Denial of Service (DDos) attacks drove this deluge, accounting for two-thirds of the traffic.
Its research found that the US is the country whose IP space played host to the greatest number of attacks, followed by China and Russia.
https://www.computerweekly.com/news/252479470/F-secure-reports-a-steep-rise-in-hacking-attempts
This ransomware campaign has just returned with a new trick
Paradise ransomware is back again - and the criminals behind it appear to be testing out new tactics ahead of what could be a more prolific campaign.
A ransomware campaign has returned with a new trick to fool the unwary into compromising their network with file-encrypting malware. And it's an attack that many Windows machines won't even recognise as potentially malicious.
The new variant of Paradise ransomware, which has been active in one form or another since 2017, spreads via phishing emails, but it's different from other ransomware campaigns because it uses an uncommon – but effective – file type to infiltrate the network.
This campaign leverages Internet Query files (IQY), which are text files read by Microsoft Excel to download data from the internet. IQY is a legitimate file type, so many organisations won't block it.
More here: https://www.zdnet.com/article/this-ransomware-campaign-has-just-returned-with-a-new-trick/
Ransomware Threatens to Reveal Company's 'Dirty' Secrets
Sticking with ransomware, the operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.
As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.
In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.
In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.
They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/
Microsoft Releases Emergency Patch for Wormable Bug That Threatens Corporate LANs
Microsoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The patch for the vulnerability is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.
On Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017.
The critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft’s Patch Tuesday release this week.
Read more here: https://threatpost.com/wormable-unpatched-microsoft-bug/153632/
Nearly all IoT traffic is unencrypted
IoT devices are considered "low-hanging fruit" among cybercriminals.
Practically all of the traffic flowing from Internet of Things (IoT) devices is not encrypted, consequently putting both businesses and their customers at unnecessary risk of data theft and all others that follow.
This is according to a new report which analysed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organisations, finding that 98 per cent of all IoT device traffic is unencrypted.
That basically means that if intercepted, the data could be easily read and used.
So the question arises – how easy is it to eavesdrop on the data exchange between IoT devices and their respective servers? The report claims 57 per cent of IoT devices are vulnerable to either medium or high-severity attacks. IoT is perceived as “low-hanging fruit” for cybercriminals.
Read more here: https://www.itproportal.com/news/nearly-all-iot-traffic-is-unencrypted/
Microsoft takes down global zombie bot network
Microsoft has said it was part of a team that dismantled an international network of zombie bots.
The network call Necurs infected over nine million computers and one of the world's largest botnets.
Necurs was responsible for multiple criminal scams including stealing personal information and sending fake pharmaceutical emails.
Cyber-criminals use botnets to remotely take over internet-connected devices and install malicious software.
The software can be used to send spam, collect information about what activity the computer is used for or delete information without notifying the owner.
Tom Burt, Microsoft's vice-president for customer security and trust, said in a blog post that the takedown of Necurs was the result of eight years of planning and co-ordination with partners in 35 countries.
Watch out for Office 365 and G Suite scams, FBI warns businesses
The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.
Bang on cue, the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 and Google G Suite.
Warnings about BEC are ten-a-penny but this one refers specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:
Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.
As organisations move to hosted email, criminals migrate to follow them.
As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.
For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.
The deeper question is why BEC scams continue to be such a problem when it’s well understood that they can be defended against using technologies such as multi-factor authentication (MFA).
Microsoft Exchange Server Flaw Exploited by multiple nation state (APT) groups
A vulnerability in Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.
Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
More: https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/
Cyberattackers are delivering malware by using links from whitelisted sites
Legitimate-looking links from OneDrive, Google Drive, iCloud, and Dropbox slip by standard security measures.
Bad actors have added a new snare to their bag of social engineering tricks— malicious OneDrive, Google Drive, iCloud, and Dropbox links. A new whitepaper asking "Is SaaS the New Trojan Horse in the Age of the Cloud?" describes this latest attack vector.
Links to these legitimate sites can often slip by standard security measures that stop malware and block access to suspicious sites. Many of these services are whitelisted by security products because they are approved services, meaning that an enterprise has few or no defences against these advanced attacks. These services are the latest tactic designed to dupe users into divulging their credentials or unknowingly download and install malware.
Tech Firms Offer Free Remote Working Tools, as Coronavirus Cases Surge
Move comes as companies scramble to polish remote working processes
Six technology companies are rolling out free or upgraded enterprise collaboration tools under a new “Open for Business” hub, in a bid to capture new users – and support enterprises scrambling to implement remote working protocols as coronavirus cases surge.
In the US, Amazon, Microsoft and Facebook have advised Seattle-area employees to work from home for the next few weeks. In the UK most companies are holding fire for now, but are most are rapidly updating policies and assessing tools.
Large organisations might be able to work through some of the emerging provisioning issues that come with a surge of remote workers — i.e. by increasing the number of licenses for their firewalls and VPNs — many small businesses don’t have the ability to quickly provision the resources they need to support their employees when working remotely.
More here: https://www.cbronline.com/news/free-remote-working-tools