Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including malware and PowerPoint trojans, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Neu Cyber Threats

SIM-swapping spike causes millions in losses

SIM-swapping is on the rise, leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over. The attacks, which consist of duping mobile carriers into switching a target’s phone services to an attacker-controlled phone, have accelerated by several hundred percent in one year.

SIMs are small chips inside mobile phones that allow the network to identify and register subscriber devices – a requirement to provide service to them. Most attacks take the form of social engineering, where cyber criminals impersonate victims and convince customer service departments to change victims’ services to new phones that they control.

Once the service has been redirected, the crooks have access to any of the victims’ calls, texts, voicemails and saved profile data. This allows them to send password reset and account recovery requests to the victim’s email. In turn, this enables them to defeat multi-factor authentication, which uses one-time passcodes, allowing them to crack high-value accounts.

While SIM-swapping isn’t a new practice, the attacks now seem to be accelerating at a rapid pace. Last year, 1,611 SIM swapping complaints were received, with adjusted losses stemming from resulting account takeovers and data theft totalling more than £50 million. In contrast, for the entire three-year period between January 2018 to December 2020, there were just 320 SIM-swapping complaints, with adjusted losses of approximately £8.8 million.

It isn’t a difficult plan to execute successfully, as many networks don’t ask in-depth security questions that verify that the caller is the legitimate user. Often, the questions can be answered with previously phished information or even with public information found on social media. The frequency of large-scale data breaches also contributes to this particular scam’s higher success rate, according to researchers.

“When people wonder what the consequences of large-scale data breaches are, this is exactly it. Both people and companies have become conditioned to being able to verify identity through simple questions like mother’s maiden name. Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur.”

Other attack vectors include phishing and insider-threat avenues. For instance, when it came to light in 2019 that Twitter CEO Jack Dorsey was the victim of a SIM swap, it was reported that “hacking crews have paid off phone company employees to do…switches for them, often for as little as £75 for each phone number.”

There’s very little that end users can do to avoid becoming victims of SIM-swapping. Primarily, it’s the mobile phone company’s responsibility to ensure its customers don’t get scammed. Researchers added: “All organisations, but especially service providers, must move from more simplistic means of validating identity to more sophisticated ones. PIN codes unique to each user’s account can be one way of adding additional security to the process.

“Out of wallet questions are another alternative that works by verifying much harder to compromise information, such as the last three home addresses or cars. It may be more of a hassle for everyone, but it’s simply no longer viable to rely on information that has been routinely compromised to validate a person’s identity.”

This attack vector has grown so massively that the FBI has given advice to both mobile networks and consumers:

Mobile networks

  • Educate employees and conduct training sessions on SIM swapping.
  • Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
  • Set strict security protocols enabling employees to verify customer credentials before changing their numbers to a new device.
  • Authenticate calls from third-party authorised retailers requesting customer information.

Consumers

  • Do not advertise information about financial assets on social-media websites and forums.
  • Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialling the customer service line of your mobile network.
  • Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.
  • Use a variation of unique passwords to access online accounts.
  • Beware of any changes in SMS-based connectivity.
  • Use strong MFA methods such as biometrics, physical security tokens or stand-alone authentication applications to access online accounts.
  • Do not store passwords, usernames or other information for easy login on mobile device applications.

Russian police take down cyber crime groups

Neu Cyber Threats

Russian authorities have announced that they have seized Ferum Shop, Sky-Fraud, and Trump’s Dumps, three well-known online shops for stolen payment card data. Last week, the domains were claimed by the Ministry of Internal Affairs of the Russian Federation’s Department “K” division, which left a message on the sites’ homepages to warn of the illegality of stealing funds from bank cards.

Russian law prohibits the production, purchase, sale, or use of counterfeit payment cards and software, devices, or other means of illegally transferring funds. However, it’s yet unclear whether the seized domains were targeting Russian banks.

According to researchers, the authorities appear to have left a message embedded into the source code of Ferum and Sky-Fraud, implying that similar domains will be targeted in the near future. Active for 5 years, Ferum Shop was one of the largest carding shops. It became the longest-standing carding forum after Joker’s Stash was shut down last year. Sky-Fraud had been active for roughly 4 years prior to takedown. It was a low-tier forum, mainly used by cyber criminals who are just starting out.

In addition to the three carding shops, Russian law enforcement seized UAS (Ultimate Anonymity Services), a portal for selling remote desktop protocol (RDP) access to compromised business environments. All four sites, researchers add, were hosted on .ru domains, and it’s likely that Department K will continue to take action against .ru domains used for similar illegal activities.

The takeovers came a few weeks after Russian authorities announced the arrest of several members of the Infraud Organisation. This resulted in the shutdown of major carding shop UniCC. In addition to seizing the illicit domains, Russian authorities arrested several of the cyber criminals behind the illegal activity – many of whom have been operating since at least 2008.

While there are still a lot of cyber threats out there for organisations to be wary of, this is positive news. The more organisations and websites that can be shut down, the better. With the action taken against these groups of cyber criminals, the hope is that, eventually, cyber attacks will become less and less common.

Apple fixes iPhone bug following recorded conversations

iPhone users should update their devices as soon as possible. The latest Apple update fixes a bug that was introduced in the iOS 15 update that might not even have been noticed.

The bug enabled Siri to keep some recordings of the user’s interactions on some devices, by automatically enabling the Improve Siri & Dictation setting. This gives Apple permission to record, store and review conversations with Siri. According to researchers, even if the user opted out, the bug may have recorded interactions with Siri or the voice dictation tool on the iPhone and shared the recordings with Apple.

Apple said: “With iOS 15.2, we turned off the Improve Siri & Dictation setting for many Siri users while we fixed a bug introduced with iOS 15. This bug inadvertently enabled the setting for a small portion of devices”.

For users who had opted out of the setting, recordings were being stored instead of being deleted. Apple has said that the erroneous recordings have since been deleted. Once Apple discovered the bug, the company said it turned off the setting for many Siri users with the release of iOS 15.2, effectively fixing the bug.

With the second beta of iOS 15.4, users will be asked if they want to opt-in or out after the update has been installed on their iPhone. With the new update, users might receive a prompt asking for permission to enable the Improve Siri & Dictation feature once the new 15.4 beta has been installed. So if you don’t want Apple listening in on your conversations with Siri or the voice dictation tool, it would be a good idea to update your Apple devices right away.

It is worth noting that not only Apple iPhones should be updated, but tablets, such as iPads should be updated to 15.3.1 asap. For more on how to update your devices, visit Apple‘s website.

Trojans being spread by legitimate Windows tool

A Windows living-off-the-land binary (LOLBin), known as Regsvr32, is seeing a big increase uptick in abuse of late. Researchers are warning of the threat these attacks can pose, as they are mainly spreading trojans such as Lokibot and Qbot.

LOLBins are legitimate, native utilities used daily in various computing environments, that cyber criminals use to evade detection by blending in to normal traffic patterns. In this case, Regsvr32 is a Microsoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared.

Researchers warned: “Threat actors can use Regsvr32 for loading COM scriptlets to execute DLLs. This method does not make changes to the Registry as the COM object is not actually registered, but is executed. This technique allows threat actors to bypass application whitelisting during the execution phase of the attack kill chain.”

Malicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cyber crooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.

“The Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,” researchers added. “During our analysis of these malware samples, we have identified that some of them belonged to Qbot and Lokibot attempting to execute .OCX files…97% of these samples owed to malicious Microsoft Office documents such as Excel spreadsheet files.”

Most of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros. Similarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document – .DOC, .DOCX or .DOCM files embedded with malicious macros.

Because Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cyber security defences. However, researchers noted that an organisation’s security team can monitor for some specific behaviours in order to track its activity:

  • Look for parent/child process relationships where Regsvr32 is executed with a parent process of Microsoft Word or Microsoft Excel
  • It is identifiable by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.
If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.