Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Mysterious bug is deleting Microsoft Teams, SharePoint files

Microsoft Exchange has experienced a vulnerability that if exploited could lead to ransomware affecting businesses. Microsoft themselves have warned that cyber criminals are exploiting vulnerable Microsoft Exchange servers and installing a new ransomware called DearCry.

This is the latest threat to affect Exchange servers, as it emerged shortly after Microsoft was forced to issue emergency patches in early March for four Exchange flaws. These could be chained together to create a pre-authentication remote code execution (RCE) exploit – which allowed attackers to take over servers without having the required account credentials.

It is thought that these flaws have led to the new strain of ransomware being installed on unpatched servers. The immediate advice is to ensure these patches have been installed as soon as possible to avoid any incidents.

The four Microsoft Exchange vulnerabilities are known collectively as ProxyLogon and can be tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. After infecting the victim, the ransomware drops a ransom note called ‘readme.txt’ – which features two email addresses for the threat actors and demands a ransom payment of $16,000.

This isn’t the only ransomware to have affected Exchange users, as the four flaws are thought to have caused at least 10 different advanced persistent threat (APT) groups to try and disrupt Exchange servers around the world. The industries targeted include government, military, manufacturing and banking.

If you are concerned by the Microsoft Exchange vulnerability, we would recommend contacting your Managed Service Provider for more information and to find out if your business has been impacted by DearCry.

Trickbot malware to distribute more malware attacks

Neu Cyber Threats

Just as Emotet was halted, the gap in the market is being filled by plenty of other trojans and botnets, such as Trickbot malware, with an increase in cyber criminals using it to distribute malware attacks.

Emotet was the world’s most prolific and dangerous malware botnet before it was taken down by an international operation in January 2021.

While it can never truly be taken down, Emotet initially emerged as a banking trojan in 2014 before becoming the much larger threat it was, cyber criminals have taken a matter of weeks to quickly adapt and Trickbot is now the most prevalent form of malware.

The two types of malware share plenty of the same features, as they can be used to deliver additional malware onto devices that have been compromised. Since Trickbot was first seen in 2016, it has long been one of the most prolific forms of malware, due to its flexibility and track record of success in the past.

Businesses are advised to ensure they remain cyber safe and continue to be wary of any suspicious emails they may receive. Email security solutions can help, as they filter out a lot of the spam communications.

However, ensuring employees receive regular Phishing Awareness Training and are made aware of the common features of a phishing email are crucial to keeping a business safe. Phishing emails often have a mysterious link or attachment that the recipient is told to urgently click and open. This can then lead to some form of theft, whether it be through asking for login details, or the installation of malware that can exfiltrate data from a company’s network.

Neu Cyber Threats

Google Warns Mac, Windows Users of Chrome Zero-Day Flaw

Google is speeding up a fix for a Chrome browser vulnerability that’s under active attack, the third zero-day flaw of the year so far for Chrome. If exploited the flaw could open up the browser to allow remote code-execution and denial-of-service attacks on systems.

The vulnerability is found within Blink, the browser engine for Chrome. The flaw (CVE-2021-21193) ranks high on the CVSS vulnerability-rating scale, making it high-severity. It’s a use-after-free vulnerability, relating to incorrect use of dynamic memory during a programme’s operation. After freeing memory from a location and if a programme does not clear the pointer to that memory, a cyber criminal can take advantage of the error to hack it.

The flaw could allow a remote attacker to execute arbitrary code on the system, which could lead to a cause of denial-of-service condition on the system. Not much else is known about the vulnerability as Google do not wish to alert cyber criminals to any further weak spots in the browser, as they work around the clock to issue a fix.

In many cases, Chrome will update to the newest version automatically. If Chrome users want to be sure they have received the update, follow the instructions below:

Go to chrome://settings/help by clicking Settings > About Chrome in the top-right hand corner of the screen.

If an update is available Chrome will notify users and start the download.

Users can relaunch the browser to complete the update.

Google Play Harbors Malware-Laced Apps Delivering Spy Trojans

Neu Cyber Threats

A never-before-seen malware-dropper, Clast82, has been allowing cyber criminals to remotely steal data from Android phones. This is spreading via nine malicious apps on the Google Play store – with the AlienBot and MRAT malware installed onto victim’s devices.

The malware is part of a wider cyber crime campaign which attempts to steal victims’ financial information, which can lead to an eventual takeover of mobile phones.

Clast82 has been disguised in the applications with the malware not installed until the apps have been vetted by Google Play Protect the store’s evaluation process. Following the process, the order is sent via Google Firebase to activate an ‘enable’ function, which could lead to the AlienBot trojan or MRAT being triggered.

AlienBot comes available in the malware-as-a-service (MaaS) model, and allows a remote attacker to inject malicious code into legitimate financial applications. MRAT is primarily used for reconnaissance and information-gathering purposes, and can avoid antivirus detection and checks, app and file deletion functionality among its many uses. The attacker can obtain access to victims’ accounts, and control a device, by stealing account credentials and Multi-Factor Authentication (MFA) codes.

Google has confirmed that all apps affected by Clast82 have been removed from the Google Play Store. Those with the apps already installed do remain at risk, though and must uninstall as soon as possible. The affected apps include:

  • BeatPlayer
  • Cake VPN
  • Two versions of eVPN
  • Music Player
  • Pacific VPN
  • QR/Barcode Scanner MAX
  • QRecorder
  • tooltipnattorlibrary
Neu Cyber Threats

Dark Web Markets for Stolen Data See Banner Sales

In news that will surprise nobody, the Dark Web is experiencing a boom. With an increase in ransomware attacks in 2020, cyber criminals are turning to the platform to not only sell account credentials and information they have successfully swiped, but also the malware they use to carry out the attacks.

The result is a large increase in the data being sold on the underground forums, but the price holding steady. It means criminals continue to make large sums of money from sales on the Dark Web. The news is bad for businesses as it can only inspire more would-be cyber criminals to try and earn a slice of the Dark Web money tree by carrying out cyber attacks.

Fake-ID and credit cards often sell for figures of several thousands, while Uber accounts and confidential company data continue to sell strongly, too.

Social-media credentials, though, have lost value over the last twelve months, thanks to the increase in MFA implementation, which sees cyber criminals using time-consuming social-engineering tactics instead. Physical counterfeit documents are very valuable, followed by document scans and even counterfeit money, which is popular on these Dark Web marketplaces.

It seems as though cyber criminals are experiencing an increase in ransom payments too – resulting in a double payday for many of the perpetrators.

Neuways advise business end users to remain vigilant when operating online. By practising strong password hygiene and being aware of malware-stuffed communications, employees will reduce the successfulness of these attacks. MFA is an important layer to any business’ cyber security defences, as it does make it substantially harder for cyber criminals to benefit from stealing these type of credentials.

Users should also understand the value of their personal and company data that they work with – if you are using the same password for multiple business accounts you hold, and one of these is breached by a cyber criminal, the resulting damage could prove to be financially rewarding for the criminal and lead to disruptive, costly downtime for the business.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.