Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cybersecurity and ransomware threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Businesses being targeted by new strain of ransomware

Ransomware that emerged in late 2021 has already claimed three victims, with the first of them hit less than a week after the malware was initially spotted. Dubbed Rook, the ransomware shares similarities with Babuk, and security researchers have discovered that it was built using Babuk code that was leaked online.

Rook was initially seen on 26th November, with its first victim identified on 30th November. In addition to encrypting the organisation’s files, the Rook gang stole roughly 1TB of data to use for extortion. The ransomware is being distributed via a third-party framework, such as Cobalt Strike, but researchers say that phishing emails carrying Rook have been observed as well.

Once executed on the victim’s machine, the malware attempts to terminate all processes that may impede the encryption process. Attackers also attempt to disable security products, as well as to delete volume shadow copies to prevent victims from recovering their data.

During the encryption, the ransomware appends the .ROOK extension to the encrypted files and, once the process has been completed, it deletes itself from the machine. Researchers said: “There are a number of code similarities between Rook and Babuk. Based on the samples available so far, this appears to be an opportunistic result of the various Babuk source-code leaks we have seen over 2021, including leaks of both the compiled builders as well as the actual source.”

Both malware families use the same API to retrieve service name and status (they enumerate all services to stop those in a hardcoded list), the same functions to enumerate running processes and terminate those in a hardcoded list, the Windows Restart Manager API for process termination, similar code for drive enumeration and both malwares also perform a series of environmental checks.

Rook’s operators engage in double-extortion, which threatens victims with making stolen data public unless a ransom is paid in exchange for a decryption tool. On their website on the Tor network, the gang has already listed three victim companies and data stolen from those that proved uncooperative.

This is not a good sign for businesses as we begin 2022. Researchers believe that this is only another chapter of the continual rise of ransomware, and the increase in new groups: “Given the economics of ransomware – high reward for low risk – and the ready availability of source code from leaks like Babuk, it’s inevitable that the proliferation of new ransomware groups we’re seeing now is only going to continue.”

Neuways advises businesses to stay vigilant and always question unrecognised communications they may receive. If an email is asking for immediate action, the opening of a hyperlink or attachment, it may well be the work of a cyber criminal. Stay as aware as possible, as without a high level of awareness, as has been proven, businesses can easily fall victim to cyber crime.

Neu Cyber Threats

Microsoft Teams bugs causing issues

Four vulnerabilities in Microsoft Teams, which have remained unpatched since March 2021, have allowed link spoofing of URLs and opened the door to DoS attacks against Android users.

Researchers discovered four bugs in the feature in early 2021 and told Microsoft about the issues on March 10. So far, only one of the bugs—a bug allowing attackers to leak Android IP addresses—appears to have been patched by the company.

In a statement, Microsoft said the reported bugs do not pose an immediate threat to users: “We’ve investigated all four reports and have concluded that they do not pose immediate threats requiring a security fix. We’ve received similar reports in the past and have made several recent improvements to the handling of data and security in general. These changes block the reproduction of several of these reports, including the reported IP address leak on Android issue.”

Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online. For this reason, usage of the platform has risen sharply during the pandemic, making it an increasingly attractive target for threat actors. Researchers stumbled upon the vulnerabilities when they were looking for a way to bypass Teams’ Electron’s Same-Origin Policy (SOP). SOP is a security mechanism of browsers that aims to prevent websites from attacking each other.

Researchers discovered that one potential way to bypass the SOP in Teams is to abuse the link preview feature by letting the client generate a link preview for the target page, and then using the summary text or performing optical character recognition (OCR) on the preview image to extract information.

Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery (SSRF) and spoofing, researchers said. The other two—dubbed “IP Address Leak” and “Denial of Service aka Message of Death” by researchers—affect only Android users.

Attackers can use the spoofing bug to beef up phishing attacks or hide malicious links in content sent to users. This can be done by setting the preview link target “to any location independent of the main link, preview image and description, the displayed hostname or onhover text,” according to researchers.

To abuse the Android DoS bug, a threat actor can send a message to someone using Teams via its Android app that includes a link preview with an invalid preview link target. This will crash the app continuously when the user tries to open the chat/channel with the malicious message, basically blocking users out of the chat or channel.

Finally, attackers can use IP address leak bug—the only one Microsoft appears to have remedied—to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain. This is possible in link previews in which the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain.

Neuways advises users to ensure their Microsoft Teams client is up-to-date. Updates and patches are issued regularly and in order to remain as safe as possible, it is advisable to download them as soon as possible.

Credential stuffing attacks on the rise leading to ransomware opportunities

Neu Cyber Threats

Users of a password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches.

LastPass responded to its users after many of them received blocked access emails warnings that are normally sent to users who log in from different devices and locations.

The email notifications initially raised fears of a data compromise. However, in a note, LastPass downplayed the severity of the issue and said the warnings were linked to known credential-stuffing attacks.

Here’s LastPass’s statement: “Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.

“We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorised third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”

While the company later went onto admit that some of the security alerts were sent in error, there was no further information disclosed on the scale of the problem that saw users legitimately targeted. Users were advised to use unique passwords, as well as enabling multi-factor authentication on all accounts, to avoid any further credential stuffing attacks.

WordPress plugin bug threatens millions of websites

A popular WordPress SEO-optimisation plugin, called All in One SEO, has a pair of security vulnerabilities that could leave website owners open to complete site takeover – the problem is the plugin is used by more than 3 million websites at present.

An attacker with an account on the site – such as a subscriber, shopping account holder or member – can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem.

Researchers said: “WordPress websites by default allow any user on the web to create an account. New accounts are ranked as subscribers and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.”

The vulnerabilities are ripe for easy exploitation, so users should upgrade to the patched version, v., as soon as possible. The more severe issue out of the two bugs is the privilege-escalation problem, which affects versions 4.0.0 and of All in One SEO. This is due to its extreme ease of exploitation and the fact that it can be used to establish a backdoor on the web server.

The vulnerability “can be exploited by simply changing a single character of a request to upper-case,” researchers explained. Essentially, the plugin can send commands to various endpoints, and it performs a permission check to make sure no one’s doing anything they’re not allowed to do. However, these routes are case-sensitive, so an attacker only needs to alter the case of one character to bypass the authentication checks.

The second bug affects versions and of All in One SEO. If attackers exploited the previous vulnerability to elevate their privileges to admin level, they would gain the ability to access the endpoint, and from there be able to send malicious SQL commands to the back-end database to retrieve user credentials, admin information and other sensitive data.

Researchers advise users of All in One SEO to update to the patched version to be safe, while other defensive steps include:

  1. Reviewing the administrator users in the system and removing any suspect ones.
  2. Changing all administrator account passwords.
  3. Adding additional hardening to the administrator panel.

WordPress plugins continue to be an attractive path to site compromise for cyber attackers. For instance, earlier in December, an active attack affected more than 1.6 million WordPress sites, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes.

Researchers added: “WordPress plugins continue to be a major risk to any web application, making them a regular target for attackers. Shadow code introduced via third-party plugins and frameworks vastly expands the attack surface for websites.”

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.