Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Criminals posting malicious USB sticks to businesses

Cyber criminals are impersonating Health Services and/or Amazon to post “BadUSB” poisoned USB devices to specific targets across an array of industries. These malicious USB drives were sent in the United States, but the danger to UK businesses is that copycat cyber attacks around the globe may occur.

The financially motivated cyber crime gang, FIN7, is behind the attack. FIN7 has been around since 2015. Initially, the gang made its reputation by maintaining persistent access at target companies with its custom backdoor malware, and for targeting point-of-sale (PoS) systems with skimmer software. In 2020, FIN7 got onto the ransomware/data exfiltration scene, with its activities using REvil or Ryuk as the payload.

Researchers said that FIN7 has mailed the malicious USB devices to companies, in the hope that recipients would plug in the drives, infect systems with malware and set themselves up for future ransomware attacks. The packages were disguised as pandemic-related or Amazon parcels. Researchers said that the devices executed a BadUSB attack.

BadUSB attacks exploit a vulnerability in USB firmware. It enables threat actors to reprogramme a USB device so it can act as a human interface device. For example, as a malicious USB keyboard preloaded with automatically executed keystrokes. After reprogramming, the USB can be used to discreetly execute commands or run malicious programs on a victim’s computer.

Interestingly, this is not a brand new attack. In 2020, researchers discovered these USB thumb drives were being sent to some of its customers, with the malicious devices similarly contained within packages impersonating Amazon. The easiest way of avoiding any problems is by simply not plugging in the unexpected USB drives. But curiosity is so that human beings will more often than not be tempted to plug the mystery USB into their device.

Researchers say that ongoing security awareness training will help to change that mentality. Endpoint protection software can also help prevent these attacks: “These attacks are triggered by a USB stick emulating a USB keyboard, so an end-point protection software that can monitor access to command shells should take care of most issues.” For critical systems that don’t require USB accessories, physical and software-based USB port blockers could help prevent this attack.

Organisations experience all-time number of cyber attacks

Neu Cyber Threats

Cyber attacks increased by 50% year-on-year in 2021, and peaked in December due to the frenzy of Log4j exploits, researchers found. Millions of Log4j-targeted attacks were clocked per hour since the flaw’s discovery last month. It meant that there was a record number of 925 cyber attacks a week per organisation last year.

2021 had already been on track to break records even before the Log4Shell vulnerabilities became known. They allowed unauthenticated remote code execution (RCE) and complete server takeover — which led to exploitation within hours. The statistics showed a 40% rise in attacks as of October, with earlier numbers showing that one out of every 61 organisations around then world had been hit by ransomware each week.

Researchers said that education and research was the sector with the most attacks in 2021, with an average of 1,605 attacks every week. The second most picked-on sector was government/military, which saw 1,136 attacks per week. Then came the communications industry, with 1,079 attacks weekly per organisation. Cyber attacks in Europe saw a 68% increase with 670 attacks weekly.

Researchers said: “In a multi-hybrid environment, where the perimeter is now everywhere, security should be able to protect it all. Email, web browsing, servers and storage are the basics. Mobile apps, cloud and external storage are also essential, along with the safety compliance of connected mobile and endpoint devices, and internet-of-things (IoT) devices. Additionally, workloads, containers and serverless applications on multi and hybrid cloud environments should be part of the checklist at all times.”

As ever, standard-issue security best practices apply. These consist of: keeping up-to-date with security patches to stop attacks that leverage known flaws, applying strong firewall safeguards between network segments in order to contain infections from propagating across the entire network, and the education of employees.

Phishing Awareness Training can do just that. User awareness can prevent an attack before it occurs. By taking the time to educate your users and ensure that if they see something unusual, they report it to your security teams immediately, you could be protecting your business from dangerous malware.

Neuways also recommends two further components to consider: threat extraction and threat emulation. Both elements provide distinct protection, which, when used together offer a comprehensive solution for protection against unknown malware at the network level.

Adobe Cloud being used to steal credentials

Attackers are leveraging Adobe Creative Cloud to target Office 365 users with malicious links that appear to be legitimate. The emails instead direct victims to a link that steals their credentials. Researchers first discovered the ongoing campaign in December 2021 when they stopped one of the cyber attacks.

Adobe Creative Cloud is a popular suite of apps for file-sharing and creating and includes widely used apps such as Photoshop and Acrobat. Though attackers are primarily targeting Office 365 users – a favourite target among threat actors – researchers have seen them hit Gmail inboxes as well. An attacker creates a free account in Adobe Cloud, before creating an image or a PDF file that has a link embedded within it. This is then shared by email to an Office 365 or Gmail user.

Researchers said: “Think of it like when you create a Docusign. You create the document and then send it to the intended recipient. On the receiving end, they get an email notification, where they click to be directed to the link.”

Though the links inside the documents sent to users are malicious, they themselves are not hosted within Adobe Cloud but, rather, from another domain controlled by attackers. Researchers shared screenshots of the attack they observed. One shows attackers sending what looks like a legitimate PDF called Closing.pdf sent from Adobe with a button that says “Open” to open the file.

When the user clicks on the link, they are redirected to an Adobe Document Cloud page that includes an “Access Document” button that supposedly leads them to the Adobe PDF. However, that link actually leads to a classic credential-harvesting page, which is hosted outside the Adobe suite. Attackers can use this model for sending various legitimate-looking Adobe Cloud documents or images to unsuspecting users.

Though the other example seen by researchers includes text with grammatical errors that should alert a user that it’s suspicious if they are paying attention, the campaign has been created to evade detection from both end users and email scanners. The notification comes straight from Adobe, a company that users trust and which is also on most email security “Allow Lists”. Additionally, the spoofed email looks just like a traditional email that an end user would receive from Adobe.

Researchers don’t know who is behind the campaign, which at the moment is solely harvesting credentials, though “that could change”. To avoid falling victim to the campaign, we recommend inspecting all Adobe Cloud pages for grammar and spelling, as well as hovering over links to ensure the intended page is legitimate. Security professionals should deploy email protection that doesn’t rely on static “Allow Lists”, but instead use solutions that includes dynamic, AI-driven analysis. This is primarily due to some “Allow Lists” letting malicious emails slip through when attackers use spoofed emails that appear to be from trusted entities.

DoS, RCE, Spoofing cyber attacks made possible by new bugs

Dangerous security bugs stemming from widespread inconsistencies among 16 popular third-party URL-parsing libraries could affect a wide swath of web applications. Eight different security vulnerabilities could allow denial-of-service (DoS) conditions, information leaks and remote code execution (RCE) in various web applications, according to researchers.

The bugs were found in third-party web packages written for various languages, and, like Log4Shell and other software-supply chain threats, could have been imported to hundreds or thousands of different web apps and projects. Among those afflicted are Flask, Video.js, Belledonne, Nagios XI and Clearance.

URL parsing is the process of breaking down a web address into its underlying components, in order to correctly route traffic across different links or into different servers. URL parsing libraries, which are available for various programming languages, are usually imported into applications in order to fulfil this function.

Researchers explained: “URLs are actually built from five different components: scheme, authority, path, query and a fragment. Each component fulfills a different role, be it dictating the protocol for the request, the host which holds the resource, which exact resource should be fetched and more.”

According to a combined analysis, security holes crop up thanks to differences in the way each library goes about its parsing activities. Across the 16 libraries, researchers identified five categories of inconsistencies in how these libraries parse components:

  • Scheme Confusion: A confusion involving URLs with missing or malformed Scheme
  • Slash Confusion: A confusion involving URLs containing an irregular number of slashes
  • Backslash Confusion: A confusion involving URLs containing backslashes (\)
  • URL Encoded Data Confusion: A confusion involving URLs containing URL Encoded data
  • Scheme Mix-ups: A confusion involving parsing a URL belonging to a certain scheme without a scheme-specific parser

The problem is that these inconsistencies can create vulnerable code blocks, thanks to two main web-app development issues:

  • Multiple Parsers in Use: Whether by design or an oversight, developers sometimes use more than one URL parsing library in projects. Because some libraries may parse the same URL differently, vulnerabilities could be introduced into the code.
  • Specification Incompatibility: Different parsing libraries are written according to different web standards or URL specifications, which creates inconsistencies by design. This also leads to vulnerabilities because developers may not be familiar with the differences between URL specifications and their implications.

As an example of a real-world attack scenario, slash confusion could lead to server-side request forgery (SSRF) bugs, which could be used to achieve RCE. Researchers explained that different libraries handle URLs with more than the usual number of slashes (https:///www.google.com, for instance) in different ways. Some of them ignore the extra slash, while others interpret the URL as having no host.

In the case of the former, accepting malformed URLs with an incorrect number of slashes can lead to SSRF. URL confusion is also responsible for the Log4Shell patch bypass, because two different URL parsers were used inside the JNDI lookup process. One parser was used for validating the URL, and another for fetching it.

Open-redirect vulnerabilities are popular for exploitation because they enable spoofing, phishing and man-in-the-middle attacks (MITM). They occur when a web application accepts a user-controlled input which specifies a URL that the user will be redirected to after a certain action. When a user logs into a website, for example, they could be redirected to a malicious lookalike site.

Neuways advises users to be wary of any applications they use. Through ensuring they are updated with the most recent security patches, then issues such as those dictated above can be avoided.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.