Managed service providers serving as a new gateway for ransomware attacks
Ransomware distributors have started to target managed service providers (MSPs) – providers that remotely manage a customer's IT infrastructure and end-user systems – in an effort to mass-infect the MSP’s clients in a single attack. Recent reports indicate multiple MSPs have been hacked, infecting thousands of clients with a ransomware known as GandCrab.
- A user reported in a recent post on the MSP Reddit channel, that a local mid-sized MSP was hacked and used to distribute the GandCrab Ransomware to 80 client endpoints.
- According to researchers, attackers are gaining access to the MSPs through a vulnerability in the plugin used to connect Kaseya and ConnectWise, two products commonly used by MSPs to manage client endpoints and perform remote administration.
- ConnectWise is commonly used as a customer relationship manager and ticketing system. Kaseya is used to perform remote management on client endpoints.
- The vulnerability, disclosed over a year ago in the ManagedITSync plugin used to integrate Kaseya and ConnectWise, can be used to perform various commands in Kaseya, including resetting the administrator password.
- Once attackers gain access to Kaseya, they can push out commands to install programs, such as GandCrab ransomware, on the various client endpoints.
- ConnectWise advises MSPs to upgrade to a newer version of the plugin and delete the old connector, especially the ManagedIT.asmx file. ConnectWise has also released a tool allowing clients to scan their servers for the affected plugin.
- In October 2018, the U.S. Department of Homeland Security issued Alert TA18-276B titled "Advanced Persistent Threat Activity Exploiting Managed Service Providers" discussing how bad actors have been targeting MSPs to gain access to customer's networks.
Source: Bleeping Computer
Cobalt Strike exploits Google App Engine to spread malware to global financial firms
The advanced persistent threat (APT) group, Cobalt Strike, has been using Google App Engine to spread PDF malware against financial firms.
- The attack is described as a sophisticated malware campaign in which cybercriminals are using the Google App Engine (GCP) framework and cloud computing platform to deliver malware via PDF documents.
- IT security researchers at Netskope who identified the attack, note that the campaign is currently targeting government and financial institutions, particularly banking giants, across the world.
- Evidence suggests Cobalt Strike, known for malware attacks against financial firms, is the main culprit.
- Netskope began looking into the issue last month when they began to notice several of its clients from the financial sector had been receiving emails containing .eml extension files with the same detection name. After taking a closer look, IT security researchers confirmed that the .eml file attachments were triggering detection.
- The eml files downloaded with Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.
- Typically, PDF readers will display a security warning when a user opens a document connected to a website; however, the warning also allows users to select “remember this action for this site” before proceeding, which allows any URL within the given domain to open without warning again. The domain in this case was appengine.google.com, appearing as a trusted site. Once the “remember” box was checked, cybercriminals were able to get around the security warning.
Threat actor targeting U.S. companies through LinkedIn
An ongoing campaign attempting to infect U.S. business users, believed to be perpetrated by the same actor carrying out the credit union scam, has been using LinkedIn to initiate a conversation and deliver a backdoor payload.
- Common targets include: retail, entertainment, pharmacy, and other industries that commonly employ online payments.
- The campaign uses LinkedIn in an attempt to infect users with the “More_eggs” backdoor.
- The threat actor has been using a fraudulent LinkedIn profile, created legitimately, to initiate contact with targets through direct message.
- The actor followed up within a week with an email reminding the target of the prior attempt to communicate on LinkedIn and providing a fake job opportunity.
- Users are encouraged to click on a link to view a job description or open an attached PDF with embedded URLs or other malicious attachments. Proofpoint’s security researchers have observed several variations of the attack, but note most shared common characteristics.
- Targets who take the bait and click on the link are directed to a landing page that appears to be a real talent and staffing management company, going so far as to use stolen branding to add legitimacy. The page, when opened, initiates a download of a Word document containing malicious macros.
- If the user allows the malicious macros to run, the “More_eggs” backdoor downloads and executes.
- The malicious Word documents were built using commercially available malware kits, most likely purchased on the same dark web forum.
- Threat actors are moving away from large-scale campaigns to more of a focus on persistent infections with downloaders, remote access Trojans (RATs), bankers, and other malware, using sophisticated social engineering to fly under the radar.
Source: Security Week
Business Email Compromise continued meteoric rise in Q4
Proofpoint released their Threat Report for the fourth quarter of 2018, indicating continued high volumes of banking Trojans, downloaders, and information stealers relative to other malware families, as well as the increasing pervasiveness of remote access Trojans (RATs), the rapid influx of email fraud, and the continued growth of social media fraud. Key takeaways from the report include:
- Email remains by far the most common vector for malware attacks and phishing schemes; the rate of email fraud continues on its meteoric climb.
- Bankers, downloaders, and information stealers comprised 90% of all malware payloads; remote access Trojans (RATs) doubled relative to other malware families, appearing in 8% of all campaigns.
- Banking Trojans made up 56% of all malicious payloads in Q4; of those, 76% were Emotet.
- Emotet, Panda Banker and Ursnif comprised almost 97% of observed banking Trojans.
- Business email compromise (BEC), or email fraud, continued its rapid growth with the number of attacks per targeted organization increasing 226% from Q3 to Q4, and 476% from 2017 to 2018 overall.
- Social media channels remain key vectors for fraud and theft. While social media platforms have reduced phishing and spam links dramatically, social media support fraud, or “angler phishing,” continues to rely on human interactions. Angler phishing increased 442% year over year and 40% over the previous quarter.
- In 2018, malicious links appeared three times as often as messages with malicious attachments.
Source: Proof Point
User data from MyFitness Pal, other online accounts, up for sale on the dark web
Users of the popular MyFitnessPal app and other online accounts may want to change their passwords after details from 617 million accounts from 16 hacked websites were posted for sale on the dark web in February.
- The three largest breaches include Dubsmash, MyFitnessPal and MyHeritage, accounting for 405 million records, or 65% of the accounts for sale.
- The data consists mainly of names, email addresses, and encrypted passwords.
- According to the seller, throughout 2018, he or she exploited security vulnerabilities to gain remote-code execution and extract user data.
- The seller is asking less than $20,000 in Bitcoin on Dream Market cyber-souk within the Tor network.
- Another good reminder to use different, hard-to-guess passwords for each online account.
Source: The Register
Dunkin’ Donuts forces password reset following credential stuffing attack
Dunkin' Donuts announced that it was the victim of a credential stuffing attack, the second of such occurrences within 3 months, in which hackers gained access to customer accounts. The announcement highlights the growing trend of credential stuffing attacks as data breaches continue to provide hackers with an endless supply of credentials.
- Dunkin' Donuts forced a password reset for all DD Perks customer loyalty accounts that may have been affected, requiring users to re-login and reset their password.
- Hackers gained access with user credentials leaked from other sites.
- Instead of stealing user data, the hackers stole the accounts, which have been popping up for sale on dark web forums.
- Botnets for rent has become a growing trend, allowing hacker groups to run scripts (such as SNIPR script) and automate credential stuffing attacks against a wide range of online services.
- Hackers carrying out credential stuffing attacks exploit affected accounts by extracting and reselling personal information to financial fraud operators or by selling access to the hacked accounts.
Source: ZD Net
Botnet activity on the rise while DDoS activity dropped off in 2018
Cyber security firm, Kaspersky, released their fourth quarter report on denial of service (DDoS) activity noting 13% less DDoS activity in 2018 than the previous year. Additional highlights from the report include:
- Security researchers detected a number of new botnets in Q4, designed to carry out DDoS attacks, including:
- Chalubo bot, first detected in August 2018
- Torii botnet, targeting IoT devices, detected in September 2018; AND DemonBot,
- Researchers also noted a new DDoS launch platform. First discovered on October 17, 2018, the platform, named “0x-booter” can support attacks with a capacity of up to 420 Gb/s based on just over 16,000 bots infected with Bushido IoT malware, a modified version of the Mirai botnet.
- 0x-booter was used in more than 300 DDoS attacks in October alone, including an attack against the Japanese video game publisher, Square Enix
- In November, the U.S. Council on Foreign Relations (CFR) called for a global initiative to reduce the number of botnets.
Source: Secure List
Breach suspected, but not confirmed in credit union spear phishing campaign
Anti-money laundering contacts at credit unions were the target of a malware-laced spear phishing campaign in February. Many of the credit unions suspect the data, which is not available to the public, may have been obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions, similar to the FDIC.
- Bank Secrecy Act (BSA) officers, responsible for reporting suspicious financial transactions potentially tied to money laundering, began receiving emails designed to convince the user the email was from BSA officers at other credit unions.
- The email, which addressed each contact by name, claimed that a suspicious transfer from one of the credit union’s customers was put on hold for suspected money laundering, then encouraged recipients to open an attached PDF to review the suspect transaction.
- The PDF itself came back clean, but included a malicious link.
- NCUA conducted a comprehensive review of its security logs and alerts, but did not find any indication of a data breach.
Source: Krebs on Security
FINRA warns brokerage firms of credit union phishing campaign
The Financial Industry Regulatory Authority (FINRA) issued a notice to brokerage firms in response to a phishing attack targeting firms with malicious emails.
- Like the credit union attack, a number of brokerage firms received suspicious looking emails appearing to come from a legitimate credit union entity.
- The email claimed that a transaction made by a client of the brokerage to the credit union was put on hold because of money laundering concerns, then directs the recipient to open a document likely containing malware designed to gain access to the user’s network.
- The message also came with other fraud red flags: the email address appears to be from Europe, not the credit union’s domain and the message was riddled with grammatical and spelling errors.
- FINRA warns in the notice that the sender “attempted to give some legitimacy to the email” by including references to a Patriot Act provision related to the ability of financial institutions to share information with each other.
- Authorized by Congress, FINRA is a not-for-profit organization which regulates exchange markets and member brokerage firms to ensure that the broker-dealer industry functions equitably and honestly.
Source: Bleeping Computer
Phishing site adds "Live Support" to scam unwary users
Scammers handling a phishing website to obtain Office 365 credentials recently added a “live support” feature to increase the appearance of legitimacy and trick new victims into giving up account information.
- “Live chat” support gained popularity with ransomware cybercriminal groups as a means of enabling victims to pay ransom in bitcoin.
- Discovered by security researcher Michael Gillespie, the scam begins with an email pretending to be from Microsoft regarding a user’s Office 365 renewal.
- The name of the sender appears as MSOffice, but the email address is blatantly fake, pointing to an “officefamily” domain. Unfortunately, the name alone is enough to fool some users into believing the legitimacy of the notification.
- Users that take the bait and click the link are directed to an illegitimate website attempting to pass as an official Microsoft resource.
- Users attempting to login inevitably fail, turning to the “live support” feature for help.
- The victim is asked to provide sensitive details about the Office 365 account, often enough to hijack the user’s account.
- The “live support” person could also potentially trick the victim into providing remote access to the computer.
Source: Bleeping Computer
How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.