Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks

A phishing campaign is masquerading itself in a Microsoft Office SharePoint theme and successfully bypassing security email gateways.

This specific campaign is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature. The campaign cropped up in a spot that’s supposed to be protected by Microsoft’s own email filter system. This is just the latest bypass of security email systems. In December 2020, spearphishers spoofed Microsoft.com itself to target 200 million Office 365 users, successfully slipping past email controls due to Microsoft’s reported failure to enforce domain-based message authentication, reporting & conformance.

Phishing emails can usually be spotted through poor spelling and grammar used that you tend to find in these kinds of phishing campaigns. The urgent messaging of a SharePoint message that says ‘respond urgently’ shouldn’t be seen as legitimate.

If recipients clicked on the hyperlink, they would be sent over to a landing page which displays Microsoft’s SharePoint logo, the ‘pending file’ notification in front of a blurry background and request for the intended victim to log in to view the document. This could give threat actors the ability to harvest user’s data, giving cyber criminals a way into their victims business. If credentials are handed over, the campaign re-directs the user to a spoofed, unrelated document, ‘which might be enough to trick the user into thinking this is a legitimate transaction’.

This is yet another attack against SharePoint servers, which have now joined the long list of network devices – including Microsoft Exchange email servers, SonicWall gateways and Pulse Secure gateways – that are being used by ransomware gangs to enter business networks. If your business works with SharePoint, be aware of any email notifications you receive that encourage immediate action. These should not be emailed to you, and if you open them up, you could be signing away access to your business to cyber criminals.

DoppelPaymer Gang Leaks Files

Neu Cyber Threats

The ransomware gang, DoppelPaymer, has leaked a substantial collection of files on a server controlled by cyber criminals. The move came after ransom negotiations between the gang and a variety of businesses broke down following a ransomware attack in April 2021.

Included among the files leaked are public information from American court cases, as well as confidential private documents that aren’t a part of the public record. The files contain personally identifiable information about prisoners, their grievances and cases.

On April 21, DoppelPaymer took responsibility for the attack and released more files stolen from the internal network as a teaser, before yet another, larger, data dump after negotiations about paying the ransom were brought to a halt. American government is not the first victim of DoppelPaymer, as the ransomware, based on BitPaymer, emerged in 2019 as a significant cyber criminal threat. Since then manufacturing and motoring industries have been bombarded by attacks operated by the group.

The ransomware was initially used to lock and encrypt files on victims’ networks, which would lock the data from being used by victims. It then later developed to be able to leak encrypted data as a bargaining chip in their ransom negotiations.

Businesses are reminded to be wary of any communications they receive that require immediate and abrupt actions to be made. Phishing email campaigns are the quickest ways for cyber criminals to infiltrate a business and begin causing havoc. They usually see cyber criminals masquerading as another body or person completely, in order to dupe the recipient into trusting them. Always consider any emails or phone calls received, and do not immediately trust the communications. Send them to your Managed Service Provider’s Support desk, and you will have the answer as to whether the communication is legitimate.

REvil ransomware – what you need to know

REvil isn’t a brand-new reansomware, but it is one that businesses should be aware of. An ambitious ransomware-as-a-service (RAAS), REvil first came to prominence in April 2019, following the demise of another ransomware gang GandCrab.

The RAAS is known for attempting to extort far larger payments from its corporate victims than that typically seen in other attacks. It is promoted among cyber criminals as the best choice for attacking business networks, where there is more money to be made. 

It is capable of stealing data from the computers and networks of its victims before being encrypted – a tactic that applies extra pressure on victims which is becoming more and more commonplace.

As with many ransomware attacks, if the ransoms issued to victims are not paid, then REvil threatens to release stolen data by auctioning it off on its website, an example of which can be seen, here.

The “Happy Blog” lists recent victims of REvil, attaches a sample of the stolen data as proof that information has been exfiltrated from an organisation. The REvil gang even offers a “trial” decryption to prove to the victim that their files can be decrypted.

A countdown timer indicates when data leaks will be made public, applying more pressure to companies debating how they should respond.

“Hello – some of your files containing confidential information have been downloaded and are located on our servers. If you refuse to negotiate with us, all documents will be published on the blog and published by the media. If an agreement is reached, the data will be permanently deleted. We advise you to quickly contact us through the support chat.”

This puts businesses in a tough place, as a secure backup of its data could help support a system restore – but cyber criminals will still retain a copy of company data – which can cause an irreversible level of damage to a business’ brand and relationships with customers and suppliers.

The real danger behind ransomware such as REvil, is that the creators of these threats are selling them on the Dark Web. While the threats themselves are dangerous and complex in the way they are built, the cyber criminal gangs operating them (the buyers) are not as sophisticated. This leads more and more ransomware attacks to be distributed via phishing campaigns, and more businesses being made a target.

There are a variety of methods an attacker could use to plant the REvil malware. These include exploiting a vulnerability to gain access to a computer on your company’s network, spear-phishing, or exploiting a third-party business partner. There’s potential that the attack may actually come from a client or partner who has already fallen victim to the hackers.

Businesses still need to be making secure backups, following the rule of three, which sees regular, consistent backups to the Cloud, on-site and on-device. Up-to-date security solutions should be operating, as well as ensuring that your devices are protected with the latest patches against newly-discovered vulnerabilities. Hard-to-crack, unique passwords should be implemented to protect sensitive data, as well as enabling multi-factor authentication, as well as the encryption of sensitive data and the education of staff about the methods used by cyber criminals to infiltrate organisations.

Deepfake Attacks Are About to Surge, Experts Warn

Apple AirDrop users should be aware of the security weaknesses involved in the service. While the ability to wirelessly share files with each other, through AirDrop, between iPhones and Macbooks is extremely useful, researchers have discovered that cyber criminals could obtain a victim’s phone number and even email address. This is not great news for businesses, as any work iPhones and Macbooks could well be compromised.

The weakness has been around for almost TWO years and Apple has yet to issue a solution to the problem – despite 1.5 billion devices worldwide being potentially vulnerable.

The researchers’ paper, deemed there to be “two severe privacy vulnerabilities in the underlying authentication protocol” used by AirDrop. The problem lies in how AirDrop determines a nearby device belongs to a contact of the user. To discover if two devices belong to mutual contacts, AirDrop transmits a ‘SHA-256’ hash of the sending user’s email address or phone number. Other devices in the vicinity of also examine the hash, and compare it to entries in their own address book – if a mutual match is made, the receiver sends back their own hash.

A cyber criminal can force the hash to determine users’ phone numbers – a method which takes seconds due to the small number of possible phone numbers. Email addresses are more complicated to reverse, but researchers believe attackers could have some success if they used dictionary attacks that use common email formats (such as firstname.lastname@gmail.com, yahoo.com, and so forth). In addition, hashed email addresses could be derived using data from past data breaches.

Researchers disclosed the flaw to Apple privately in May 2019, hoping that it would be fixed – but the tech giant responded in July 2020, saying that it did “not have any updates on new features or any changes to mitigate the underlying issue.”

It’s worth remembering that for an attack to be successful, a malicious party would need to be in close physical proximity to their victims. While many of us aren’t as active due to the COVID-19 pandemic, as lockdowns ease and businesses travel more, it is certainly something to be aware of. Apple users should consider when and where they use AirDrop as a service, if used privately at their home location, then AirDrop would be much safer to use than, for instance, in a busy travel hub such as a train station or airport.

Neu Cyber Threats

Deepfake Attacks Are About to Surge, Experts Warn

Neuways is seeing new deepfake products and services being made available across the Dark Web. Cyber criminals are increasingly sharing, developing and deploying deepfake technologies to bypass biometric security protections, and aid them in crimes such as blackmail, identity theft and social engineering attacks.

This increase in deepfake technology offerings on the Dark Web is the first sign of a new wave of fraudulent activity – and deepfakes can cause all sorts of problems for businesses.

Within the next few years, criminal threat actors involved in disinformation and influencing operations will likely gravitate towards deepfakes, attempting to deliberately mislead the public.

It seems, at the moment, that cyber criminals are being taught how to use deepfake technology through how-to guides and best practice tips, which appears to demonstrate a widespread effort across cybercrime to sharpen up the tools to become more effective.

The most common deepfake-related topics on dark web forums included services (editing videos and pictures), how-to methods and lessons, requests for best practices, sharing free software downloads and photo generators, general interests in deepfakes, and announcements on advancements in deepfake technologies, according to researchers.

Researchers call ‘synthetic identity fraud‘ the fastest growing type of financial cyber crime on the internet. The increase in synthetic identity fraud is likely due to multiple factors, including data breaches, dark web data access and the competitive lending landscape. Fraud methods continue to develop, and deepfake technology will allow for cyber criminals to use fake faces for biometric verification – using AI to combine facial characteristics from different people to form a new identity, creating a challenge for those businesses relying on facial recognition technology as a significant part of their fraud prevention strategy.

Recent examples of successful deepfake crimes include one from September 2019, which saw cyber criminals create fake audio of a CEO. They then called the company in question, before asking them to transfer $243,000 to their bank account. This shows the vulnerabilities businesses face purely from picking up the phone to potential fraudsters. Businesses need to be aware of this as a very real threat to them, as while the technology is still being fully understood by the cyber criminals involved, it is clearly hitting businesses right now. In the meantime, it is advisable that businesses authenticate such a request as the example above, in more ways than one phone call. By implementing levels of authentication, a business can save itself a lot of money and hassle.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.