August 2022 Newsletter

Posted By: Mark Monday 12th September 2022 Tags: , , , , , , , , , , , , , ,

This month, we’re highlighting the most common malware threats in the wild; examining the growing size of DDoS attacks; looking at how cyber criminals are attempting to bypass Multi-Factor Authentication; wondering if ransomware attackers hit the wrong water company; finding out about new Facebook features; and find out how Janet Jackson could crash your old hard disk drive.

Newsletter image: Malware threats

Be Aware Of These Malware Threats

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) have highlighted 11 malware families observed to be the top malware threats from the last year.

The list of malware strains includes remote access Trojans (RATs), banking Trojans, information stealers, and ransomware, with most having been in use for more than five years and have been updated and evolved into many variations.

Cyber Criminals use malware to deliver ransomware or to aid in the theft of personal and financial information.

Top 11 Malware Threats

The main malware threats in circulation are:

  • Agent Tesla: RAT – capable of stealing data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. This malware can also capture screenshots, videos, and Windows clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer. Its developers continue to add new functionality, including obfuscation capabilities and targeting additional applications for credential stealing
  • AZORult: Trojan – used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials, and cryptocurrency information. AZORult’s developers are constantly updating its capabilities
  • Formbook: Trojan – information stealer advertised in hacking forums. ForrmBook is capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS)
  • Ursnif: Banking Trojan – steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files.
  • LokiBot: Trojan – malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.
  • MOUSEISLAND: Macro Downloader – usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack.
  • NanoCore: RAT – used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared amongst malicious cyber actors.
  • Qakbot: Trojan – originally observed as a banking Trojan, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets.
  • Remcos: RAT – marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system. Malicious cyber actors then use the Remcos backdoor to issue commands and gain administrator privileges while bypassing antivirus products, maintaining persistence, and running as legitimate processes by injecting itself into Windows processes.
  • TrickBot: Trojan – malware often used to form botnets or enabling initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware. In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services.
  • GootLoader: Loader – a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.

Mitigating Malware Threats

Recommendations for mitigating the dangers of these cyber threats include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).

LaneSystems offer a range of IT services to businesses around the North East of England. Keep your data protected, backed up, and find out how to stay cyber safe.

Newsletter image: DDoS Attacks

DDoS Attacks Getting Larger

Distributed Denial-of-Service incidents – where attackers attempt to knock a victim offline by flooding their server or network with so many requests and so much internet traffic as to overwhelm resources and render them unavailable – are on the increase, and this year has seen three of the largest DDoS attacks ever recorded.

Back in April, Cloudflare successfully blocked a then-record-breaking HTTPS-based DDoS attack on a client, which peaked at 15.3 million requests-per-second (rps). At the time this was seen as a significant attack because, as their analysts noted:

“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection. Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”

This was followed, in June, by another HTTPS-based DDoS attack on a Cloudflare customer, dubbed ‘Mantis’, that hit a peak of 26 million rps. Again, Cloudflare mitigated the attack, but noted that:

“Large attacks are growing in size and frequency – but remain short and rapid. Attackers concentrate their botnet’s power to try and wreak havoc with a single quick knockout blow – trying to avoid detection.

“DDoS attacks might be initiated by humans, but they are generated by machines. By the time humans can respond to the attack, it may be over. And even if the attack was quick, the network and application failure events can extend long after the attack is over”

Last month, it was Google‘s turn in the crosshairs, as they reported one of their Cloud Armor customers being targeted with a series of HTTPS DDoS attacks which peaked at 46 million requests per second. Another record-breaking attack.

Google described the attack as ‘like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds’.

Cloud Armor was able to block the attack and keep their customer online.

Both Cloudflare and Google noted that each attack involved thousands of compromised computers in hundreds of countries around the world being used to contribute to the attack.

DDoS attacks flood 2022

Radware compiled a threat analysis report documenting a 203% increase per customer during the first six months of 2022, compared to the first six months of last year, and a 239% hike compared to the last six months of 2021. It mitigated 60 percent more DDoS attacks in the first six months of this year compared to the entire 12 months of 2021. Plus the average volume blocked per customer per month in 2022 (between January and June) reached 3.39TB, a 47 percent increase compared to 2021.

As with other threats in the cybersecurity world, it’s likely that DDoS attacks will continue to increase in volume and size in the months and, probably, years to come.

Newsletter image: Multi Factor Authentication

Hackers Are Finding Ways Around Multi-factor Authentication

One of the standard recommendations to mitigate the threat of cyber attacks is to use multi-factor authentication (MFA) — requiring users to prove their identity through two or more verification methods.

The additional factor of MFA for accessing a system creates an extra barrier to keep attackers out. While a cyber criminal may be able to gain access to an employees password login, it’s not necessarily any use if they also require a separate verification via an SMS code, an authenticator app or a security key to get into the targeted system.

Type Of Multi-Factor Authentication

A quick refresher on MFA. Authentication is usually based on one of three types of additional information:

  • Things you know (knowledge) — usually a password or PIN
  • Things you have (possession) — commonly an authenticator app or a physical key
  • Things you are (inherence) — biometrics like fingerprints or face scans

While MFA is certainly an improvement on a simple username and password login, and certainly a strong deterrent in most situations, it’s only an extra layer of security and not completely infallible. Cyber Security analysts are seeing an increase in attacks by hackers targeting some of the more common MFA procedures and noting patterns to how cyber criminals bypass some types of MFA.

Common Methods Used to Bypass MFA

Hypr provides an overview of the various tactics used by hackers to circumvent multi-factor authentication controls.

Phishing

Phishing has evolved from password theft to stealing full credentials needed to bypass MFA. Increasingly, phishing that can bypass MFA is becoming more automated, with over 1,200 phishing toolkits deployed in the wild. These leverage actions such as session cookie theft and reverse proxies, so all inputted credentials go through the attacker’s server.

SMS-initiated phishing attacks are also on the rise. Also known as smishing, these use similar techniques to email-based phishing but the origin point is a text message from a supposedly trusted source.

SMS One Time Password Attacks

Still one of the most common protocols due to its ease in implementation. Readily available attack kits use an automated bot service to steal OTP codes. Not only is SMS OTP a seriously flawed process, but it also gives a veneer of security that prevents the pursuit of more secure authentication.

Accidental Push Accept

Push notification through an authenticator app as a second authentication factor. Push notification attacks, also called “MFA prompt bombing”, leverage push fatigue and how little attention many of us pay to such notifications.

Generally the attacker already has a valid username and password and logs in with this to trigger sending a push notification. The attacker issues multiple MFA requests to the end user’s legitimate device until the user eventually accepts the authentication.

IT Help Desk Social Engineering

Hacker impersonates an employee to determine which protocols are used to confirm a password reset request. Along with possibly revealing information such as the victim’s login, this lets the attacker know exactly what details they need to acquire to achieve a password reset and then account takeover.

Using Robocalls

Robocalls play a role in many scams, including those used to bypass MFA. Automated hacking services such as SMS Buster and SMSRanger boast success rates of up to 80% in getting people to supply account details, including OTPs sent by service providers. Robocalls can effectively copy what someone’s bank or insurance provider sounds like and convince them to hand over details.

Man-in-the-Middle Attacks

In a man-in-the-middle (MitM) attack, the hacker eavesdrops on or actively intercepts the communications between two parties; either two users, or, increasingly, a user and an application or server. This allows them to steal information the user sends, such as login credentials, account details and credit card numbers.

SIM Swapping

Similar to help desk attacks, SIM swapping uses social engineering to get service providers to reset someone’s account — in this case, to assign their cell phone number to a new SIM card. Once they’ve successfully swapped your number onto their SIM, any communications, including OTPs, will be sent to their phone, allowing them to bypass MFA protocols.

Is There A Right MFA Solution?

Multi-factor authentication will stop a significant amount of account takeover attempts, but there’s no one-best way to implement it. As cyber criminals become more sophisticated they’ll come up with strategies to target MFA to get what they want. It requires extra levels of defence which doesn’t always come down to technology, but also the knowledge and training of staff that are likely to be targeted to gain information. Being aware of the limitations and potential attack vectors for any authentication method greatly reduces the risks of being caught out.

Call us for expert advice on managing your businesses IT and cybersecurity requirements.

Newsletter image: ransomware attack on water company

Ransomware Attackers Extort Wrong Water Company

A UK water company became the victim of a ransomware gang, in August, although exactly which water company was targeted was initially unclear.

South Staffordshire Water, based in the Midlands, issued a statement confirming they were dealing with disruption to their IT systems because of a cyberattack, while the Russian Clop gang posted to its website claiming to have breached London’s Thames Water, accessing their SCADA systems and stealing data.

As The Register reports:

“The cybercriminals said that after negotiations with the water company broke down, they published a raft of stolen documents, from passport scans and driver’s licenses to screenshots of software user interfaces. They claimed to have more than 5TB of data taken from the victim organization, as well as access to some SCADA systems.

“They also taunted Thames Water, writing they had spent months inside the company’s network and that it had “very bad holes in their systems.”

However, Thames Water released a statement disputing the claims and confirming their systems were fully operational.

As BleepingComputer explains:

“One key detail in the case is that among the published evidence, Clop presents a spreadsheet with usernames and passwords, which features South Staff Water and South Staffordshire email addresses<

“Additionally, BleepingComputer observed, one of the leaked documents sent to the targeted firm is explicitly addressed to South Staffordshire PLC.

“As such, it’s very likely that Clop misidentified their victim or that they are attempting to extort a much larger company using false evidence.”

South Staffordshire Water said the cyberattack hadn’t affected water operations and customers’ supplies were ok.

“This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers. This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.

“We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual.”

Clop updated their information about the attack a few days later.

Newsletter image: Facebook

Facebook Trialling Messenger Security And Privacy Features

Meta announced, this month, that it is testing end-to-end encryption as the default mode for some users of its Facebook Messenger app on Android and iOS. Other features going to trial include an ‘unsend’ feature — which allows you to remove a message from everyone in a chat, similar to “delete for all” option in WhatsApp group chats — while Secure Storage will store chats in Meta’s own data centres, rather than users’ devices. This will allow the encrypted chat histories to be recovered if the phone is lost. Secure Storage will become “the default way to protect the history of your end-to-end encrypted conversations on Messenger”.

End-to-end encryption (E2E), a mechanism that allows only the sender and the recipient to access the messages, has been available on the platform since 2016, but users have to opt-in to make their messages secure. Meta had originally planned to make E2E encryption the default during 2022 but that was pushed back to 2023.

Although Meta claims these changes have been in the pipeline for a while, they did come in for criticism for handing over message information to US law enforcement recently in an investigation over an abortion.

The Guardian US reports: “[H]ad all Facebook messages been encrypted by default back in June when Nebraska police issued a search warrant for Facebook user data of the mother investigated in the case, Facebook would not have messages to hand over to police in the first place.”

“The only way for companies like Facebook to meaningfully protect people is for them to ensure that they do not have access to user data or communications when a law enforcement agency comes knocking,” Evan Greer, the director of the digital rights group Fight for the Future, said “Expanding end-to-end encryption by default is a part of that, but companies like Facebook also need to stop collecting and retaining so much intimate information about us in the first place.”

The Secure Storage functionality will require users to create a PIN or generate a code to use to access the backups in future.

Newsletter image: Janet Jackson crashes hard drives

Janet Jackson Can Crash Laptops

The video for the 1989 pop hit, Rhythm Nation, by Janet Jackson, has been recognised as an exploit for a cybersecurity vulnerability. Microsoft reports that it can crash certain types of old laptop after a manufacturer found it froze machines using an old hard disk drive (HDD). The manufacturer noticed that it could even crash laptops nearby to the one playing the video.

An old 5400RPM hard drive, which was commonly used by many different manufacturers at the time, is affected by a matched resonant frequency in the song. Microsoft blogger, Raymond Chen, wrote:

“One discovery during the investigation is that playing the music video also crashed some of their competitors’ laptops.

“And then they discovered something extremely weird: Playing the music video on one laptop caused a laptop sitting nearby to crash, even though that other laptop wasn’t playing the video!

What’s going on?

It turns out that the song contained one of the natural resonant frequencies for the model of 5400 rpm laptop hard drives that they and other manufacturers used.

The manufacturer worked around the problem by adding a custom filter in the audio pipeline that detected and removed the offending frequencies during audio playback.”

Although the chances of this being a security risk are miniscule, it’s still enough of an issue to get added to the register of Common Vulnerabilities and Exposures (CVEs) – the definitive list of cybersecurity vulnerabilities to be aware of – as CVE-2022-38392.

Although modern laptops rarely contain a HDD – preferring the smaller, lightweight and speedier performance of a solid state drive (SSD) – and any that still do aren’t working as slow as that old drive, there could be old systems running out there and they could be vulnerable to a side-channel attack.

As Bleeping Computer explains:

“Resonance is physical phenomenon by which the sound produced by an object vibrates at the same frequency as the sound waves from another object. This can give rise to an increased amplitude. This is how bridges have collapsed in the past and also why soldiers break stride when marching across a bridge.

“In 2017, a security researcher named Alfredo Ortega demonstrated how playing a 130Hz tone could make an HDD stop responding to commands almost entirely. The same year, scientists from Princeton and Purdue published research explaining acoustic attacks on hard drives that could sabotage PCs, ATMs and CCTV systems.