Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Neu Cyber Threats

Under fire software provider acquires decryptor key for ransomware

European football championship fever (aka Euro 2020) is sweeping the nation, which has sloped over into easy-to-crack passwords. Passwords such as ‘football’, are easy for cyber criminals to crack via a dictionary attack – a brute-force attack that involves trying thousands of random words as passwords, using sources like every word in Wikipedia’s databases.

Beyond dictionary attacks, it’s simpler to crack a password such as ‘football’, within the context of current events. In fact, ‘football’ itself has popped up 353,993 times in the database of 1 billion unique, clear-text, breached passwords maintained by authentication firm Authlogics. In that database, there are ‘over 1 million associated with football’, the company disclosed.

The top five examples of football passwords include:

Top 5 football terms Number of occurrences
Football 353,993
Liverpool 215,842
Chelesea 172,727
Arsenal 151,936
Barcelona 131,090
Total 1,136,155

 

The main issue behind insecure passwords stems from human nature: people who need to create passwords often seek out the path of least resistance, which leads to passwords that they’ll remember but are insecure. That may include the name of a pet or birthday, which threat actors can easily discover through a quick online search, given that personally identifiable information (PII) are often shared freely and openly on social media.

The ‘mind-boggling’ number of football-associated passwords poses an ‘obvious problem’, according to the researchers. “These breached passwords are obviously insecure, but they also speak to serious problems for other accounts owned by the compromised individuals.” Indeed, once an account’s password is compromised, it is important the person linked to the account changes all of their other accounts, as Google research shows that 52% of people reuse the same password for multiple accounts, while only 33% use a different password and 13% reuse the same password for all their accounts.

Poor password hygiene has been a long-standing issue that has plagued the security industry for years. Poor password hygiene includes password reuse, picking easy-to-guess passwords, or simply by leaving a breached password in use. Indeed, it was poor password hygiene that caused the much-discussed DarkSide Colonial Pipeline hack in May 20201, a no-longer-used password for a VPN provider was the cause here. As it turns out, the VPN password that was used for the Colonial Pipeline attack turned up in a batch of compromised passwords on the Dark Web.

Neuways advises the following to achieve good password hygiene:

  • Replace the password with a pattern. As opposed to using a word, which is easily recognisable and easily stolen, use a code or pattern formed out of letters or numbers which is unique to you.
  • Use a variety of different symbols: a combination of letters (some upper case and some lower), numbers and symbols.
  • Try your absolute best to not reuse passwords. While this might mean you need to remember more passwords (or use a password manager) it goes a long way to limiting the damage should one of your accounts become breached.

Cyber criminals using Google Docs to host phishing attacks

Neu Cyber Threats

Threat actors are exploiting Google Docs by hosting their phishing attacks within the web-based document service in a brand-new phishing campaign that delivers malicious links aimed at stealing victims’ account credentials.

Researchers have claimed that this is the first time they’ve seen attackers use this type of exploit in Google’s hosted document service. By hosting attacks in this way, attackers can bypass link scanners and evade detection from common security protections that aim to verify that links sent via email are legitimate.

The attack begins with an email that includes a message that could be relevant to business users who commonly use Google Docs within their corporate environment. In the example shown in the report, the message claims the link contains a set of “new rules for June 25”. If a user clicks on the link, the page appears familiar to anyone using Google Docs to share documents outside the organisation – but looks can be deceiving. Researchers said: “This, however, isn’t that page, it’s a custom HTML page made to look like that familiar Google Docs share page”.

Once redirected, potential victims are asked to “click here” to download the document. If the user clicks, the page re-directs to the actual malicious phishing website which steals the victim’s credentials using another web page made to look like the Google login portal which is actually hosted from a URL clearly not affiliated with the tech giant. The trick to creating the attack vector is that the heavy lifting of the campaign is done by Google Docs, making it “quite simple to execute”.

First, an attacker would write a web page that resembles a Google Docs sharing page, and then upload that HTML file to Google Drive. Once the file is scanned, Google renders the HTML into a preview page that looks very much like a typical Google Docs page. An attacker can right-click on the uploaded file and open it in Google Docs, which is where the simple yet integral aspect of the attack takes place.

Neuways advises any Google Docs users to be vigilant if they receive any kind of unexpected email notifications from the service as these could be the work of cyber criminals.

Faux cyber crime gangs taking aim at businesses

Such was the prevalence of the Colonial Pipeline hack earlier in 2021, there have been instances of cyber criminals posing as DarkSide, the group behind the devastating hack sending threatening emails to business across a range of sectors. A fear-based social-engineering campaign has been distributed that warn that they have successfully hacked the recipient’s enterprise network and lifted sensitive information, which will be publicly disclosed if a ransom of £2.7 million is not paid.

DarkSide generally offers proof that it has obtained stolen sensitive data, which these cyber criminals have not managed to provide. Also, even though the fraudsters claim to be a ransomware gang, there’s no encryption of any files or other content on the victim’s networks.

It’s also worth noting that DarkSide generally asks for between £150,000 to £1.5 million according to previous reporting – not the almost £2.7 million requested in the recent emails. The researchers stated: “This campaign looks amateurish compared to known previous DarkSide activities. We believe that most companies will not be urged to pay that amount without being shown any real evidence that the network has been compromised and sensitive data is about to leak in public.”

Researchers observed emails hitting a few targets daily, beginning with June 4. The messages were sent to generic email addresses within the businesses (i.e., addresses such as “support@[companyname].com” or similar). The sender emails are darkside@99email[.]xyz and darkside@solpatu[.]space.

It appears that the same attacker also filled out contact forms on several companies’ websites, submitting the same content via web form as what’s included in the emails.

Even so, it appears that the DarkSide doppelganger isn’t actually making any money – likely due to the lack of any encryption and the questionable email details: “As of writing, the criminals have not received or sent any funds” researchers said. “No actual attack has been traced back to the emails, and no new targets have been spotted.”

Neuways would like to remind businesses of all shapes and sizes, in a variety of industries, that cyber criminals are using cyber attacks at an unprecedented level to try and extort money. No business is too small or unlikely to be targeted over another, as criminals only see a range of targets that could provide them money, they don’t care if you’re a small or enterprise-level organisation.

Apple have released emergency patches for Safari bugs

Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that, ‘may have been actively exploited’. The bugs affect sixth-generation Apple iPhones, iPads and iPod Touch model hardware, released between 2013 and 2018. Businesses using these devices must update them as soon as possible to avoid any further issues.

An Apple spokesperson said: “Apple is aware of a report that this issue may have been actively exploited.” They added information of the vulnerabilities will not be released until patches or releases are made available following an investigation. The bugs are tied to Apple’s Safari browser and the underlying iOS code, called WebKit, which is responsible for rendering web pages. The patch, iOS 12.5.4, is available for download now.

One of the bugs is a memory corruption bug (CVE-2021-30761) patched by Apple to address a “memory corruption issue” and improves the Apple WebKit state management. This refers to the management of the state of one or more user interface controls such as text fields, OK buttons, radio buttons, etc. in a graphical user interface.

According to Apple, the patch for the bug addresses a bug found in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The second flaw was identified as a use-after-free bug (CVE-2021-30762), which is a type of memory corruption vulnerability. The bug allows an attacker to execute code on targeted devices and according to Apple, adversaries may be exploiting this flaw on unpatched devices. A use-after-free is a vulnerability related to incorrect use of dynamic memory during program operation and, if after freeing a memory location, a programme does not clear the pointer to that memory, an attacker can use the error to hack the program.

The iOS patch, distributed as a iOS 12.5.4 update, is for the same model hardware as above.

Neuways advises affected Apple users to ensure they install the patches as soon as possible to avoid any related issues. Failure to do so could result in their credentials and device information being compromised. The same should be reiterated for patches and updates distributed to any of your software or hardware in use. These updates provide up-to-date security fixes and are the key to keeping your business cyber-safe.

Neu Cyber Threats

Underground markets for ransomware-as-a-service on the rise

It’s well known that email is the gateway for cyber criminals looking to infiltrate corporate networks. But there’s an increasing trend of ransomware gangs buying their way onto networks and partnering with other criminal groups that have already paved the way for entry into business’ corporate networks with first-stage malware.

Researchers have uncovered a ‘lucrative criminal ecosystem’ that works to mount successful ransomware attacks, like the ones that have made headlines, such as Colonial Pipeline, and caused a significant disruption around the world recently. Before the main ransomware payload hits the network, known ransomware gangs such as Ryuk, Egregor and REvil team-up with threat actors who specialise in initial infection using various forms of malware – such as TrickBot, BazaLoader and IcedID.

Ransomware operators often buy access from independent cyber criminal groups who have infiltrated major targets and sell access to the ransomware actors for a slice of their theft. Cyber criminal threat groups already distributing banking malware or other trojans may also be part of these ransomware affiliate networks.

The relationship between these threat actors and ransomware groups is not one-to-one as multiple threat actors use the same payloads for ransomware distribution. It seems as though banking trojans such as TrickBot and Emotet are the initial method of choice for these access brokers to establish backdoor entrances using malicious email links and attachments, with about 20% of the malware seen in the first half of 2021 infiltrating networks this way.

Researchers have also observed evidence of ransomware deployed via malware called SocGholish, which uses fake updates and website re-directs to infect users, as well as via Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators use to evade detection.

The news should come as no surprise to businesses, but it also is a large reason why businesses should consider investing in the cyber defences. By avoiding a cyber criminal group gaining access to your business’ corporate network, you are avoiding a potential long-term issue with cyber criminals. Investing in a Disaster Recovery and Business Continuity plan with Neuways will help your business to shore up its defences, while also accounting for many other problems that could come up concerning your business’ ability to operate and stay safe.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.