Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Microsoft disrupts large scale BEC campaign

Microsoft has announced it disrupted a large-scale business email compromise (BEC) campaign in which the attackers used forwarding rules to access messages related to financial transactions.

The campaign had its infrastructure hosted on multiple web services and used phishing emails with voice messages as lures. The emails carried a HTML attachment with JavaScript code designed to imitate the Microsoft sign-in page, which help to steal victims’ login credentials.

Once the cyber criminals had gained access to the mailbox, they added email forwarding rules that would send messages containing information related to financial transactions, with keywords such as invoice, payment and statement added, to attacker-controlled email addresses. Additionally, the forwarded emails were deleted from the Outbox to avoid detection.

The attackers used a large cloud-based infrastructure for the campaign to automate operations at scale. This infrastructure including the monitoring of compromised mailboxes, the creation of forwarding rules, identifying valuable victims, and processing the forwarded emails. Microsoft reported its findings to the security teams at multiple cloud companies whose services were abused by the cybercriminals, before suspending the attackers’ accounts, which resulted in the takedown of the infrastructure.

According to Microsoft, the attackers attempted to hide the scale of their operation by making it look as if the attacks were not connected to one another. They performed distinct activities from different IP addresses, but used only specific IP ranges for the attacks. This is characteristic of BEC campaigns, as it makes it harder for researchers to correlate the attacks to one organisation.

Multiple virtual machines were used to execute a specific operation, along with DNS records similar to those of existing company domains, to blend into existing conversations or launch more tailored phishing attacks. BEC attacks are constant threats to enterprise-level organisations as they are very stealthy, with attackers hiding in plain sight by blending into legitimate traffic using IP ranges with high reputation and by conducting discrete activities at specific times and connections.

Although the campaign generated very low signals to make it difficult to identify within the usual noise of corporate network traffic, these attacks could have been prevented through proper use of multi-factor authentication, which would have prevented the attackers from logging into the compromised mailboxes.

“Ransomware is the biggest threat” says head of UK Cyber Security

Neu Cyber Threats

The head of the UK’s National Cyber Security Centre has warned that ransomware has become the biggest threat to British people and businesses. Lindy Cameron, chief executive of the NCSC, has highlighted the need for the ransomware problem to be taken seriously, and warns of the “cumulative effect” it could have if society fails to properly deal with the rising threat.

Cameron says that although state-sponsored cyber attacks represent a “malicious strategic threat to the UK’s national interests,” the problem goes deeper than that.

Cameron also points out that technically-advanced professional criminal gangs have given anybody the ability to command a ransomware attack: “…the ecosystem is evolving through Ransomware as a Service, (RaaS); the business model where ransomware variants and lists of targets, credentials and other tools useful for ransomware deployment are available off the shelf for a one-off payment or a share of the profits.

“As the business model has become more successful, with these groups securing significant ransom payments from large profitable businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly ‘professional’.”

While recent attacks, including the Colonial Pipeline ransomware hit, have focused world leaders’ attention on the potential of ransomware to continually impact upon businesses, ransomware has exploded over the last 18 months, affecting businesses of all shapes and sizes, not just big multi-national companies. In its end-of-summit statement, the G7 explicitly called for no country to act as a safe harbour for ransomware operators: “We also commit to work together to urgently address the escalating shared threat from criminal ransomware networks. We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”

“Far more worrying is the cumulative effect of a failure to manage cyber risk and the failure to take the threat of cyber criminality seriously. For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals.”

Lindy Cameron, Chief Executive of the NCSC

With reports a multi-country taskforce is being created to combat ransomware, it appears action is being taken to protect the world from the scourge of ransomware. In the meantime, it is always advisable to be wary of any unexpected communications you receive that require immediate action or input, as this could be the beginning of a ransomware attack in your workplace.

Cause of US oil cyber attack revealed

It has been revealed that the DarkSide cyber criminal gang behind the Colonial Pipelines ransomware attack accessed an old VPN account that was no longer in use to freeze the company’s network.

Attackers used the password to a VPN account that was no longer in use but which allowed them to remotely access Colonial Pipeline’s network. The reveal highlights the importance of password security, as it comes on the heels of a separate report that hackers leaked the largest password collection to date – a 100 gigabyte file called “RockYou2021” containing 8.4 billion passwords – on a popular hacker forum earlier this week. Businesses need to ensure their employees are taking care in using strong password hygiene and also that they are using a Password Manager tool to safely look after their stored business passwords – otherwise hits such as the DarkSide ransomware attack can occur.

Indeed, the password used for the Colonial attack was discovered inside a batch of leaked passwords on the Dark Web – although it isn’t yet clear how the password was in the hands of the cyber criminals. Although there are rumours that the password may have gotten into the wrong hands when a Colonial employee used it on another account that was previously hacked. The news once again highlights the inherent insecurity of what is still the most commonly used security method for allowing employees to access corporate networks, even though there are numerous multi-factor authentication available to organisations for securing sensitive data.

It also shows how easy it is for anyone with nefarious intent to gain access to passwords and use it for financial gain or disruption, with large caches of passwords lifted from cyber attacks often being dumped online by hackers.

That this cyber attack had a huge effect on a country as massive as the United States shows that ransomware is a real threat to everyone. The attack shut down a pipeline that covers the entire eastern seaboard as far north as New York as well as southern states and caused major disruption, including fuel shortages across the region, a sharp rise in gas prices and airlines scrambling for fuel. President Joe Biden also declared a state of emergency, before Colonial Pipeline ended up paying a ransom of around £2.6 million to the DarkSide ransomware gang. Although, since then, the FBI have managed to retrieve around £1.6 million of the ransom.

The overriding message to businesses, is to ensure the safety of your business’ passwords – one slip-up could lead to a devastating cyber attack which could cost your business a lot.

Custom malware collects billions of stolen data points

Researchers have uncovered a 1.2TB database of stolen data that has been lifted from 3.2 million Windows-based computers over the course of two years by an unknown, custom malware. The stolen information includes 6.6 million files, 26 million credentials and 2 billion web login cookies – with 400 million of the latter still valid at the time of the database’s discovery.

The culprit is a stealthy, as-yet-unnamed malware that spread via trojanised Adobe Photoshop versions, pirated games and Windows cracking tools, over the last two years. It’s unlikely that the operators had any depth of skill to pull off their data-harvesting campaign and instead more than likely purchased some custom malware. Anyone can get their hands on custom malware, as it’s cheap, customisable and can be found all over the web. Dark Web adverts for viruses uncover even more about this market – for instance, anyone can get their own custom malware and lessons on how to use the stolen data for as little as £60.

The 26 million login credentials held 1.1 million unique email addresses for an array of different apps and services. Among the information within the database were social media logins, online marketplace information, as well as job-search, gaming and financial service sites. The cloud provider hosting the data has been notified so the database can be taken down, while a blogger has added the compromised email addresses to his site, so people can check to see if they’ve been impacted by the malware.

With over 50% of the stolen files being text files, it is likely that a lot of the collection contains software logs, while it was discovered that some users were using the Notepad app to store their passwords, personal notes, and other sensitive information. This should be an absolute no-go as there is nothing secure about Notepad, and in the event of a data breach this will be easy pickings for cyber criminals with access.

The top 10 apps targeted by the malware include:

  1. Google Chrome (19.4 million entries)
  2. Mozilla FireFox (3.3 million entries)
  3. Opera (2 million entries)
  4. Internet Explorer/Microsoft Edge (1.3 million entries)
  5. Chromium (1 million entries)
  6. CocCoc (451,962 entries)
  7. Outlook (111,732 entries)
  8. Yandex Browser (79,530 entries)
  9. Torch (57,427 entries)
  10. Thunderbird (42,057 entries)

Unfortunately, custom malware is difficult to fight once a device is infected, because as a novel threat, antivirus does not tend to identify it – making prevention the best approach. Neuways recommends the following best practices:

  • Web browsers are not good at protecting sensitive data. Use Password Managers to protect your credentials and auto-fill information.
  • Malware can’t access encrypted files.
  • Some cookies are valid for 90 days, and some don’t expire for an entire year. Make deleting cookies a monthly habit.
  • Peer-to-peer networks are often used for spreading malware – only download software from the developer’s website and other well-known sources.
  • All malware gets identified eventually, make sure that your antivirus is up-to-date to prevent old viruses from slipping through the cracks.
If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.