Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including malware and PowerPoint trojans, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Neu Cyber Threats

Major UK organisation hit by cyber attack

Major UK organisation KP Snacks has been hit by a cyber attack – causing delays and cancellations to deliveries that could last “until the end of March at the earliest”. A letter from KP Snacks sent to store owners on 2 February said its systems had been “compromised by ransomware” and it “cannot safely process orders or dispatch goods”.

KP Snacks revealed the hack wiped out its IT and communications systems beginning on 28 January, and said in a letter: “We have teams working through the resolution, but it is unknown when this will be resolved”. Messages sent by Nisa to partnered stores on 1 February, told local shops to “expect supply issues on base stock and promotions until further notice”.

The wholesaler added: “Initial discussions have highlighted that no orders will be being placed or delivered for a couple of weeks at least and service could be affected until the end of March at the earliest.” Nisa said it was introducing ordering caps in order to “manage what stock we do have”.

Files seen by researchers showed KP Snacks listed on hacker group Conti’s confidential ‘data leak page’. The site alleged that examples of KP Snacks related “credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements, and other sensitive documents” were shown on the data leak page.

Asked about the incident, a KP Snacks spokesperson responded: “On Friday, 28 January we became aware that we were unfortunately victims of a ransomware incident. As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation.

“Our internal IT teams continue to work with third-party experts to assess the situation. We have been continuing to keep our colleagues, customers, and suppliers informed of any developments and apologise for any disruption this may have caused.”

Visit the Neuways blog for more on the KP Snacks incident and the deeper ramifications of this story.

Low detection phishers bypass MFA

Neu Cyber Threats

Researchers have warned that phishing kits are focussing on bypassing multi-factor authentication (MFA) methods – typically by stealing authentication tokens via a man-in-the-middle (MiTM) attack.

It is the latest response from cyber criminals to the increase in adoption of MFA. MFA-bypass phishing kits are rapidly growing. According to researchers they range from, “simple open-source kits with human readable code and no-frills functionality, to sophisticated kits utilising numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, Social Security numbers and credit-card numbers.”

Researchers additionally noted that MFA-bypass kits represent a security blind spot, with the associated IP addresses and domains often skating by detection.

According to Proofpoint, one of the phishing-kit approaches that is particularly gaining steam is the use of transparent reverse proxies (TRPs), which enable attackers to insert themselves into existing browser sessions. This MiTM approach lets adversaries hide out and harvest information as it is entered or appears on the screen.

This is a departure from traditional phishing. It involves attackers creating copycat sites that mimic Windows log-in pages, in order to trick targets into entering their credentials. This traditional approach leaves plenty of room for red flags to be introduced, such as outdated logos, poor grammar and spelling errors.

Researchers noted: “Modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely.”

Meanwhile, attackers will hang out and steal session cookies. These can be used by the threat actor to gain access to the targeted account without the need for a username, password or MFA token.

While these tools aren’t new, they’re being increasingly used to bypass MFA, which is worrying given their lack of detection. Researchers developed a tool that managed to identify 1,200 MitM phishing sites. Yet, just 43.7% of those domains and 18.9% of their IP addresses showed up – despite having lifespans of up to 20 or more days.

Researchers said: “As more companies follow Google’s lead and start requiring MFA, threat actors will rapidly move to solutions like these MitM kits. They are easy to deploy, free to use and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new, unexpected directions.”

PowerPoint files being used as malware trojans

Attackers are using under-the-radar PowerPoint files to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer.

Researchers have found that the method is one of a number of attacks being used by attackers. Desktop users have been targeted through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.

A “little-known add-on” in PowerPoint – the .ppam file – is being used to hide malware. Researchers said that the file has bonus commands and custom macros, among other functions. Beginning in January, attackers were observed delivering socially engineered emails that include .ppam file attachments with malicious intent.

One email observed in the campaign, for example, purported to be sending the recipient a purchase order. The attached .ppam file – named PO04012022 to appear legitimate – included a malicious executable. The payload executed a number of functions on the end user’s machine that were not authorised by the user, including installing new programmes that create and open new processes, changing file attributes, and dynamically calling imported functions.

Researchers said: “By combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company”. The campaign allows attackers to bypass a computer’s existing security – in this case, security provided by Google – with a file that’s rarely used and thus won’t trip an email scanner.

In October, reports first surfaced that attackers were using .ppam files to wrap ransomware and disguise malware.

The latest scam is one of several new email-based campaigns uncovered by researchers recently to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud. Attackers typically use email to deliver malicious files or links that steal user information.

In November, reports surfaced that scammers were using a legitimate Google Drive collaboration feature to trick users into clicking on malicious links in emails or push notifications that invited people to share a Google document. The links directed users to websites that stole their credentials.

This was followed up by a wave of phishing attacks that researchers identified in December. These mainly targeted Outlook users, using the “Comments” feature of Google Docs to send malicious links that also lifted credentials from victims. Threat actors didn’t stop there though, and were found creating accounts within the Adobe Cloud suite. Images and PDFs were sent that appear legitimate but instead deliver malware to Office 365 and Gmail users.

To avoid allowing email scams to slip past corporate users, we advise using the following: one is to install email protection that ensures all files received are inspected for malicious content. Another is to take extra security steps – such as dynamically analysing emails for indicators of compromise (IoCs) – to ensure the safety of messages coming into the corporate network.

Researchers said: “If an email fails a check, it is usually due to their being an insignificant historical reputation with the sender.” An email authentication technique used to prevent spammers and other bad actors from sending messages spoofed to come from another domain name.

A combination of email security and phishing awareness training can go along way to shoring up your business against these types of malware attacks, but they need to be part of a wider cyber security culture and strategy for optimal effect.

New malware being used in threat campaigns

Flubot, the Android spyware that’s been spreading virally since last year, has begun to be used alongside another mobile threat known as Medusa.

Researchers found that Medusa is now being distributed through the same SMS-phishing infrastructure as Flubot, resulting in high-volume, side-by-side campaigns. The Flubot malware (aka Cabassous) is delivered to targets through SMS texts that prompt them to install a “missed package delivery” app or a faux version of Flash Player.

If a victim falls for the ruse, the malware is installed, which adds the infected device to a botnet. Then it sets about gaining permissions, stealing banking information and credentials, as well as lifting passwords stored on the device and exfiltrating various pieces of personal information. The malicious implant sends out additional text messages to the infected device’s contact list, which allows it to go viral.

Researchers noted: “Threat intelligence shows that Medusa followed with exactly the same app names, package names and similar icons. In less than a month, this distribution approach allowed Medusa to reach more than 1,500 infected devices in one botnet, masquerading as DHL.”

And, worryingly enough, these results are for just one botnet. Researchers added that Medusa has multiple botnets carrying out multiple campaigns. First discovered in July 2020, Medusa (related to the Tanglebot family of RATs) is a mobile banking trojan that can gain near-complete control over a user’s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To get started, it has received several updates and improved its obfuscation techniques as it tries to make the most of Flubot’s infrastructure.

For example, it has gained the ability of an accessibility-scripting engine that allows actors to perform a set of actions on the victim’s behalf, with the help of Android Accessibility Service. This allows it to execute commands on any app that is running on a victim’s device. Researchers noted: “A command like ‘fillfocus’ allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g., the beneficiary of a bank transfer.”

Accessibility events logging is a companion upgrade to the above. With a special command, Medusa collects information about active windows, including the position of fields and certain elements within a user interface, any text inside those elements, and whether the field is a password field.

As with many cyber threats, the best rule of thumb is to use caution when it comes to interacting with any received emails. Never click on attachments or hyperlinks if the email you receive asks for urgent actions to be made, or fill out any kind of account credentials. This could lead to cyber criminals gaining access to your corporate network and damaging downtime being caused, as a result.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.