Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cybersecurity and phishing threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Cyber criminals using classic phishing attack to hit businesses

Swedish retailer IKEA is the latest organisation to be hit by an ongoing cyber attack in which cyber criminals target employees through internal phishing attacks with the use of stolen reply-chain emails.

A reply-chain email attack is when threat actors steal legitimate corporate emails and reply to them with links to malicious documents that install malware on recipients’ devices. As the reply-chain emails are legitimate emails from a company and are commonly sent from compromised email accounts and internal servers, recipients tend to trust the email and be more likely to open the malicious documents.

Internal emails seen by researchers have warned employees of the ongoing reply-chain phishing cyber attack that has been targeting internal mailboxes. These emails are also being sent from other compromised organisations and business partners. The email explained: “The attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.” IKEA IT teams have already warned employees that the reply-chain emails contain links with seven digits at the end and shared an example email below. In addition, employees are told not to open the emails, regardless of who sent them, and to report them to the IT department immediately. Recipients are also told to tell the sender of the emails via Microsoft Teams chat to report the emails.

It is unknown whether they are linked, but recently threat actors began to leverage compromised internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks. Once they gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails. As the emails are being sent from internal compromised servers and existing email chains, there is a higher level of trust that the emails are not malicious. There is also concern that recipients may release the malicious phishing emails from quarantine, thinking they were caught in filters by mistake. Due to this, they are disabling the ability for employees to release emails until the attack is resolved.

“Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and released the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” IKEA communicated to employees.

While IKEA has not disclosed to employees whether internal servers were compromised, it appears that they are suffering from a similar attack.

Excel attachment used in the phishing campaignWhen visiting these URLs, a browser will be redirected to a download called ‘charts.zip’ that contains a malicious Excel document. This attachment tells recipients to click the ‘Enable Content’ or ‘Enable Editing’ buttons to properly view it, as shown here. These OCX files are renamed DLLs and are executed using the regsvr32.exe command to install the malware payload. Once those buttons are clicked, malicious macros will be executed that download files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote site and save them to the C:\Datop folder.

Campaigns using this method have been seen installing the Qbot trojan (aka QakBot and Quakbot) and possibly Emotet based on a VirusTotal submission found by researchers. The Qbot and Emotet trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network. Due to the severity of these infections and the likely compromise of their Microsoft Exchange servers, IKEA is treating this security incident as a significant cyber attack that could potentially lead to a far more disruptive attack.

Neuways advises businesses to reiterate the attack to employees. This is a cyber attack that we have seen replicated time and time again. As a result, organisations need to recognise and be aware of the possibility that emails sent between colleagues could be a part of this type of phishing campaign. Always question suspicious looking communications, no matter who the sender, and do not automatically carry out any activity the sender has asked you to do. In following those instructions, your company is less likely to lose sensitive company data and experience the encryption of your information.

Android banking trojan discovered targeting UK banks

Neu Cyber Threats

A new Android banking trojan has been found targeting banks from around the world, including the UK. The malware was first seen at the end of October 2021. It appears to be new and still under development. The researchers which discovered it have named it ‘SharkBot’, after the frequency of the word ‘sharked’ was found in its binaries. SharkBot is not found in Google’s official marketplace – which means it must be sideloaded by delivering the APK to the device and ensuring it is manually loaded. A recent technical analysis carried out by researchers has shown that the malware regularly poses as a legitimate application using common names and icons.

If the deception succeeds and the malware is installed, it immediately attempts to enable Android’s Accessibility Services by delivering fake pop-ups to the victim – such as ‘Allow Media Player to have full control of your device’. If this is successful, SharkBot has all the permissions it needs to carry out its nefarious acts. Once accepted the malware can enable keylogging (to steal typed credentials), intercept SMS messages (to circumvent MFA), deliver overlay attacks (to steal login credentials and credit card information) and remotely control the device because permissions were granted via the fake pop-up.

Researchers said: “Basically, the malicious Accessibility Services can read anything a user can read and can recreate any action a user can on the device.”

Notably, SharkBot attempts a novel technique known as an Automatic Transfer Systems (ATS) attack: “This technique has been seen recently from other banking trojans, such as Gustuff. ATS is an advanced attack technique which is fairly new on Android and enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from compromised devices.”

The ATS functionality is contained in a module downloaded separately from the C2. The assumption is that ATS is used by SharkBot to bypass the behavioural detection measures used by many financial institutions. If ATS is used on what is a trusted device, a ‘new device enrolment’ phase is not necessary, SMS-based MFA can be bypassed, and behavioural biometrics are not effective. Although relatively few instances of SharkBot have been discovered in the wild, researchers suspect that the threat will grow as it becomes more developed.Researchers added: “The implications of becoming infected with SharkBot could be severe, so it’s important to avoid becoming infected altogether.” As the malware is so new, it is not very well detected by existing means of doing so. The best solution for end users is to avoid using unofficial application stores, where the malware could be lurking on an application – without 100% certainty of the application’s authenticity or the validity of its source, Neuways advises users to simply not install it.

Attacks exploit insecure services in seconds

Opportunistic attackers have been found to be exploiting insecure services, as a result of experiments set up by researchers, designed to demonstrate the immediate danger of these typical mistakes. It has now been proven that poorly configured cloud services can be exploited by threat actors in minutes. The method of attack ranges between network intrusion and data theft to malware and ransomware infections, researchers have found.

Researchers used an infrastructure of nodes deployed globally in which they misconfigured key services within a cloud-based setup –including remote desktop protocol (RDP), secure shell protocol (SSH) and server message blocks. They found attackers jumped at the opportunity to exploit the misconfigurations, with 80% of the 320 experiments compromised within 24 hours and all compromised within a week, researchers disclosed in a recent report.

Moreover, some attacks occurred within minutes, with one particularly speedy cyber criminal compromising 96% of the 80 accounts within 30 seconds. This is fairly shocking news, as typically vulnerabilities are measured in days or months before they are exploited. The study shows how quickly these common misconfigurations can lead to data breaches or attackers taking down an entire network – especially given that “most of these internet-facing services are connected to some other cloud workloads,” researchers said.

“When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes.”

To lure attackers, researchers intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password, which granted limited access to the application. They reset the experiments after a compromising event—i.e., when a threat actor successfully authenticated via one of the credentials and gained access to the application. Researchers also blocked a list of known scanner IPs on a subset of the accounts, updating firewall policies once a day based on the observed network scanning traffic.

The team analysed attacks according to a variety of attack patterns, including: the time attackers took to discover and compromise a new service; the average time between two consecutive compromising events of a targeted application; the number of attacker IPs observed on a honeypot; and the number of days an attacker IP was observed.

While this study shows an alarming number of successful compromises, the good news for businesses that are making common cloud configuration mistakes is that they are easy to avoid. To safeguard services from being breached by attacker IPs, cloud administrators can implement a guardrail to prevent privileged ports from being open, as well as create audit rules to monitor all the open ports and exposed services. Researchers also suggest that admins create automated response and remediation rules to fix misconfigurations automatically and deploy next-generation firewalls to block any malicious traffic.

Millions of Android devices infected with trojan

A new trojan called Android.Cynos.7.origin, designed to collect the device data and phone numbers of Android users was found in 190 games installed on over 9M Android devices.

Many of the games were targeted at younger users, as the malware was found on the AppGallery, the official app store for Huawei Android. According to researchers, the main purpose of the slew of malware-laced apps is to to lap up users’ phone numbers and device data and to make money by extracting the data to inflict ads, according to researchers. Here’s the full list of the 190 apps the researchers are identifying as malicious.

Researchers said that the Android.Cynos.7.origin trojan is one of the modifications of the Cynos malware platform – a module that can be integrated into Android apps to squeeze money out of devices. Malware analysts have known about Cynos since at least 2014. When the malicious apps are downloaded, they ask for permission to make and manage phone calls.

“That allows the trojan to gain access to certain data,” researchers explained. Namely, after a user grants those permissions, the trojans collects and exfiltrates all of the following information to a remote server:

  • User mobile phone number
  • Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access location)
  • Various mobile network parameters, such as the network code and mobile country code; also, GSM cell ID and international GSM location area code (when the application has permission to access location)
  • Various technical specs of the device
  • Various parameters from the trojanised app’s metadata
  • Some of its versions have aggressive functionality: they send premium SMS, intercept incoming SMS messages, download and launch extra modules as well as other apps. The main functionality of the version discovered by researchers is the collection of information about users and their devices and displaying ads.

Researchers added: “At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users. This data can be exfiltrated and put into the hands of cyber criminals, making it particularly dangerous.”

This isn’t the first time that Huawei’s AppGallery has been infused with malware. In April, researchers reported that they had found the app store infested with apps that contained the Joker trojan: apps that were downloaded by unwitting users to over half a million devices. Researchers notified Huawei about the Cynos-infested malicious apps in its Android gallery, which has resulted in Huawei subsequently removing them all.

Neuways advises users to check any applications that have been downloaded onto Huawei phones from the AppGallery, and be prepared to delete them. The work of these cyber criminals should be taken seriously and fought against, otherwise you may well become their next victim.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.