Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Microsoft 365 Becomes Haven for BEC Innovation

Two new phishing methods have emerged which involve the manipulation of Microsoft 365 automated email responses in order to evade email security filters. One method saw scammers target victims through redirected legitimate out-of-office (OOO) replies from an employee to them. The other saw read receipts being exploited. Both threats were identified as being in use in late 2020, when auto-responders were more widely used due to festive holiday leave being taken by businesses.

In the read-receipts attack, cyber criminals create an extortion email and change the, ‘Disposition-Notification-To’, email header to generate a read-receipt notification from Microsoft 365 to the recipient. The email may be picked up by some email security solutions, but the read receipt is sent to the target anyway. This contains the original email’s text and will bypass traditional security solutions as it is generated from the internal Microsoft system.

It is thought that the urgent response demanded from the sender, to click on a malicious link, is what results in their device being compromised. The action could be as severe as allowing the cyber criminal to escalate privileges across an entire business network. In the OOO attack, the cyber criminal creates an email that impersonates someone within the business. The attacker can manipulate the, ‘Reply-To’, email header so that if the victim has an OOO message turned on, that OOO notification, including the original text, will be directed to a colleague within the organisation.

As with the read-receipt exploit, the message won’t be picked up by email security systems, because it originates from the target’s account rather than an external account.

The rise of attacks like these have been attributed to the large increase in employees remote working over the past 12 months. Phishing attacks have risen as employees cannot walk over to another person’s desk in the office, and it subsequently being hard for untrained eyes to validate unknown texts or emails.

Emotet Takedown Disrupts Vast Criminal Infrastructure

Neu Cyber Threats

In good news for businesses, the Emotet malware strain, one of the most prolific across the world, has been dismantled by a combined cyber authority effort. Hundreds of servers and a huge 1 million infections have been removed globally.

Authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States, came together to bring a network of hundreds of botnet servers supporting Emotet crashing to the ground. Emotet is a loader-type malware that’s plagued businesses and organisations for years since its discovery in 2014. It is typically spread via malicious phishing emails or text messages.

It is often used as an early stage infection, its primary job is to inject secondary malware payloads, including the likes of Trickbot, Qakbot and Ryuk ransomware. Its success can be seen through its operators often renting out its infrastructure to other cyber crime groups for use in gaining access into corporate networks. It is a so-called ‘modular malware family’ that can install all kinds of additional malware on systems, steals passwords from browsers and email clients, and is very difficult to remove. Before this takedown there were an average rate of 100,000 to a half-million phishing emails containing Emotet distributed every day.

While there is no guarantee of any takedowns causing a permanent disruption to Emotet, this is a victory for many businesses and cyber authorities around the world. Those who operated Emotet will more than likely find a way to recover remnants of it and repurpose it into a new version. For now, we’d advise everyone to remain wary of phishing emails. While Emotet has been dealt a huge blow, there are still plenty of other malware threats out there, that haven’t gone away. Remember to keep your guard up if you receive any suspicious communications, especially those that require an ‘urgent’ action, that involves clicking a link or opening an attachment you have been sent.

Apple Patches Three Actively Exploited Zero-Days, Part of iOS Emergency Update

Apple have issued patches to rectify three actively exploited zero-day vulnerabilities, as part of an iOS emergency update. Additionally, the company have added a security service called BlastDoor into iOS 14, that prevents message-based zero-click exploits through it’s iMessage service.

Bugs were identified in the software’s kernel and WebKit browser engine that are likely part of an exploit chain. These three recent vulnerabilities were noticed after a major software update in November had already fixed three other vulnerabilities that were being actively exploited.

BlastDoor was introduced after espionage attacks were found to be launched against businesses. The new method effectively filters any inbound messages to ensure that no malicious communications can be spread to compromise a recipient’s device. While these fixes have been issued to solve mobile-only issues, if your business uses Apple products there was potential for malware to be spread within devices linked via the Apple ecosystem. It is thought cyber criminals may have been actively taking advantage of the latest bugs.

Apple described the kernel flaw as, ‘a race condition’, that the update addresses, ‘with improved locking’. If exploited, the vulnerability allows a malicious application to escalate privileges and compromise a device after it’s user becomes a victim due to a malicious website leveraging the WebKit flaw. Devices affected by the zero-day vulnerabilities, as well as the fixes, include: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).

Users are urged to ensure their devices are updated with the recent patches as soon as possible. This is good cyber hygiene and useful to employ across any device you use. If automatic updates can be switched on, you should do so, as it will ensure that any time a quick fix or patch is issued by a developer, your device(s) will download and apply it, keeping your device safe and secure.

Outsourcing giant Serco hit by ransomware attack

Neu Cyber Threats

Cyber criminals have deployed Babuk ransomware to encrypt large quantities of data held by companies in a variety of different industries around the world. One of the latest cyber attacks has impacted Serco, the outsourcing firm behind NHS Test and Trace app.

Babuk has only gained notoriety within the last few weeks. The lack of information around it makes it a particularly potent and very real threat. As Babuk is deployed, it attempts to terminate various security and recovery services as well as database, browser and email programmes.

It encrypts all non-system files on local and network drives, before encrypting the keys for this data. While the coding of the malware isn’t particularly complicated, it is the way the encryption has been implemented that makes it difficult for victims to decrypt files for themselves.

While it is unclear what the attack vector is in this case, it is thought the distributors of Babuk are employing social engineering. This focuses on tricking staff into click an attachment or a link in a message, that could compromise the cyber security of the business. This is what makes cyber security training an absolute must for businesses. By ensuring employees are engaging in regular Phishing Awareness Training, businesses are doing the best job they can to protect themselves. Staff must understand the tricks and techniques that cyber criminals commonly use, so they can identify them and know what how to deal with it. More worryingly, the ransom note Serco received from the cyber criminals suggested that they had been inside Serco’s network for over three weeks, before more than 1TB of company data was swiped, making Babuk a potent threat to be taken seriously.

Many WordPress Sites Affected by Vulnerabilities in ‘Popup Builder’ Plugin

Another WordPress plugin has been causing site owners pain, with ‘Popup Builder’ users experiencing multiple vulnerabilities. The plugin has over 200,000 installations to date and helps WordPress users create, customise, and manage promotional popups, with various malicious actions carried out on affected websites by cyber criminals. Fortunately, a recent fix was issued by the plugin’s developer in January.

It is now known that the issues were caused by a lack of authorisation on most AJAX methods, as they failed to check the user’s credentials with all versions of Popup Builder up to 3.71 impacted. While this has now been inserted during the recent fix, security flaws could be leveraged to allow a cyber criminal to send out newsletters, import or delete subscribers, and perform other actions as well.

Newsletters could be sent to a website owner’s subscriber list that contained custom email body content, email sender and other details that would allow a malicious user to compromise subscribers systems too. As a result, damage could be caused to the reputation and long-term security status of the site, causing owners lasting damage. There will also be GDPR repercussions, as the site owner will be liable for a fine as a result of misplacing data that they have been entrusted to keep safe.

The vulnerabilities were reported to the plugin’s developer in early December 2020. After an initial incomplete fix was issued a week later, a comprehensive fix was made available in late January, with the release of version 3.72. If you’re a user of ‘Popup Builder’ it is worth checking you are using the 3.72 version of the plugin, to avoid any further issues.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.