Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:



Passenger and employee data leaked in AirAsia ransomware attack  

Last week popular airline AirAsia fell victim to a ransomware attack by Daixin Team. The threat actors informed DataBreach that they had gathered data from 5 million passengers and all employees. One of the two files obtained contained passenger information, and the other collected employee information, including name, date of birth, country of birth, location, date employment started, and their “secret question” answer.

AirAsia responded to the attack immediately and asked Daxin’s negotiator for an example of the data. After receiving the file, they had obtained, they “asked in great detail how we would delete their data in case of payment.” It is unknown the amount demanded by Daixin, however, with no attempt to negotiate the price, claims have been made that they clearly had no intention of paying anything

The Daixin spokesperson explained while locking the files that the team had avoided locking “XEN, RHEL – hosts of flying equipment (radars, air traffic control and such), however, the poor organisation of AirAsia network has spared the company when it comes to further attacks. Although Daixin encrypted a lot of the data and deleted any backups, they haven’t done as much as they normally would have. In an unusual incident, the group was unwilling to go through the “garbage”, being irritated by the chaotic organisation.

Daixin has informed DataBreach that as well as leaking passengers’ and employees’ information on their leak site, they will also make information about the network, such as “backdoors”, available for free on hacker forums.

Experts warn of a high-volume malspan campaign delivering payloads like Bumblebee and IcedID with the return of The Emotet malware 

The banking trojan known as Emotet, which has been active at least since 2014 and is operated by a threat actor TA542, returns. This trojan was also used to deliver other malicious codes, such as Trickbot and QBot, and ransomware, such as Conti, ProLock, Ryuk and Egregor.

In April, operators began testing new techniques of attack as a response to Microsoft’s decision to remove Visual Basic for Applications macros by default. Experts later discovered a new version of the Emotet bot that uses a new module that steals credit card information stored in the Google Chrome browser. Emotet operators enhanced their attack chain by employing multiple attack vectors to remain under the radar. Reports have later stated operators were then inactive between July and November 2022.

However, the threat actors have been reported distributing hundreds of thousands of emails a day, suggesting Emotet is planning to return to its full functionality. Experts have noticed changes to the bot and its payloads, with operators also making changes to the malware modules, loader and packer. The changes are observed by Proofpoint:

· New Excel attachment visual lures

· Changes to the Emotet binary

· IcedID loader dropped by Emotet is a light new version of the loader

·  Reports of Bumblebee dropped in addition to IcedID

A weaponised Excel attachment was used in recent emails in a password-protected zip file containing an Excel file. The Excel file contains XL4 macros, which download the Emotet payload from multiple built-in URLs.

The Excel files contain instructions for receipts to copy the file to a Microsoft Office Template location and run it from there. With this location being “trusted”, opening the document won’t display any warnings.

Qakbot, banking trojan has seen 400% increase within the last two months

Qakbot or Pinkslipbot is a piece of malware that has historically been known as a banking Trojan that is utilised to gather financial information about the infected target. It has been seen active in the wild since 2007 but has since, according to Huntress report, seen a 400% increase within the last two months. Threat intelligence has seen this increase of activity globally which could indicate the return of Qakbot, and that’s why it is essential to secure yourself where possible.

Qakbot is a sophisticated malware that self-propagates and spreads throughout a network, making it rather tricky to prevent and detect. However, Qakbot typically enters a network through Email attachments. Ensuring that Autoplay & Autorun are disabled to avoid the attachments being automatically run can reduce the risk, but you can also implement blocks on specific file types to help not only prevent Qakbot but other forms of malware too. Blocking common types, such as .LNK, .ISO and .EXE files within emails, will prevent these file types from reaching the endpoints.

Security awareness training helps educate your staff on what to look for in a phishing email. It is also vital to ensure you have a process in place for your staff to follow if they do click on a malicious link. This is called an incident response plan (IR), and having a well-rehearsed IR plan can drastically reduce the impact of an attack and prevent the spread of any infection.

Black Friday and Cyber Monday Scams – Stay alert  

Stay alert this Black Friday and Cyber Monday – Did you know that more than half of Black Friday emails are fraudulent? 

Black Friday Week and Cyber Monday are incredibly lucrative for scammers and hackers. You may think that you’re getting the ‘Best Deal’ possible, but the truth is that after you click on the fake offer – cyber criminals are getting the best deal out of all – access to your financial information!

According to research from Bitdefender, more than 56% of Black Friday Emails are scams. 

If the offer seems too good to be true, more than likely it is! 

Neuways urges you to be cautious with your emails and the offers you receive. If you are not sure how to recognise Phishing Emails, download our Free Booklet that takes you through all the steps on how to recognise phishing emails: https://neuways.com/wp-content/uploads/2021/09/Phishing-Awareness-Training-Booklet.pdf

A few things to look out for when it comes to fraudulent phishing emails: 

  • Sense of urgency 
  • A fake email address where the email is coming from
  • Malicious URL 
  • Spelling mistakes

Quick tip: To recognise malicious URLs: Hover over the link, but don’t click! You most likely just received a phishing email if it looks odd with plenty of numbers and letters or spelt slightly wrong! 

Remember do not rush into anything, take a step back and think about it. Hackers use the fear of missing out to prevent you from thinking about it.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.