Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cybersecurity and phishing threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

New COVID-19 variant fuelling cyber scams

The recently discovered Omicron COVID-19 variant is causing problems in more ways than one, as cyber criminal gangs use scams inspired by the variant to steal user data. The consumer watchdog “Which?” has spotted the new phishing scam, which has been doctored to look like an official communication from the NHS, and is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant.

The CDC and the WHO list Omicron as a “variant of concern” of the COVID-19 virus, and warned this week that it’s spreading rapidly around the world. This, of course, meant that, yet again, global pandemic distress has presented an opportunity for scammers. This particular set of scams is being issued by text, email and even over the phone, with threat actors contacting people across the UK offering them what they say are new test kits specifically designed to detect the Omicron variant.

One of these emails read: “NHS scientists have warned that the new Covid variant Omicron spreads rapidly, can be transmitted between fully vaccinated people, and makes jabs less effective. However, as the new covid variant (Omicron) has quickly become apparent, we have had to make new test kits as the new variant appears dormant in the original tests.” Alongside giving false information, the email is littered with grammatical errors. Should a victim click on the link at the bottom of the correspondence, they would be taken to a fake NHS page that asks for full name, date of birth, address, phone numbers and email address.

In addition to harvesting personally identifiable information (PII), the site also asks for £1.24 as a delivery fee and mother’s maiden name, giving the scammers access to the target’s banking information as well. This, and other pandemic-related phishing campaigns, rely on the victim’s anxiety to cause them to overlook obvious signs of fraud. Researchers said: “Phishing attacks and other scams often exploit emotions to get people to react quickly, without thinking things through logically. This new COVID-19 variant has significant emotional weight for people who are tired of lockdowns and the continuing impact of the pandemic, making it a powerful tool to get people to click.”

The watchdog has submitted its findings to the National Cyber Security Centre (NCSC), but warned that other similar Omicron bait is likely to surface over the next several weeks – especially with the festive period in full swing. Last year, when COVID-19 vaccines began rolling out, analysis between October 2020 and last January found that the average number of vaccine-themed spear phishing attacks grew by 26%. Besides vaccine lures, the pandemic has inspired spear-phishing campaigns offering fake job opportunities for those left unemployed by widespread lockdowns. Even those who held onto their jobs were targeted upon their return to work, with scam emails purporting to offer new office COVID-19 protocols – instead they had their login credentials stolen.

Neuways advises users to be cautious about any unsolicited COVID-19 communications. Anyone who received one of these scam Omicron PCR test emails is advised to forward it via report websites to the NCSC, who are attempting to eradicate as many phishing threats as possible.

FluBot malware on the rise

Neu Cyber Threats

An increase in the spread of the notorious FluBot malware via malicious SMS messages has been noted around the world. The malware has been spamming mobile users, directing iPhone owners to phishing sites and Android users to download malware.

In some instances, the messages pose as a notification that the user has received a voicemail message, or a communication from their mobile network provider. Fortunately, clicking on the link contained within the message does not automatically initiate an automatic download for recipients using Android devices, but instead requires user confirmation that they wish to install an application.

According to researchers, approximately 70,000 SMS messages were sent by hackers in just 24 hours, with victims finding their Android devices infected with the FluBot malware. In the past cyber criminals have distributed FluBot via bogus messages that claim to help intended victims track parcel deliveries or listen to a voicemail message, or via web pages that claim a user’s Android device has been infected with malware, and that they should urgently install a security update – which, of course, actually infects devices.

Once installed on the victim’s phone FluBot is capable of stealing banking credentials, payment details, text messages, and contact information from victims’ devices. Users who have already infected their devices with FluBot are advised to perform a factory reset and restore from a backup that was created before the malware infection took place.

SMS messages aren’t the only method of transferring FluBot, though. Last week, another group of researchers reported that criminals have compromised legitimate websites running vulnerable WordPress plugins and themes to upload their malicious content.

The advice for users affected by FluBot is as follows:

  • If you used a banking application or handled credit card information on the infected device, contact your bank.
  • Report any financial losses to the police.
  • Reset your passwords on any services you have used with the device. The malware may have stolen your password if you have logged in after the installation of malware.
  • Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.

“Double Extortion” Ransomware damage grows by 935%

New statistics have highlighted poor corporate security and a flourishing ransomware-as-a-service (RaaS) affiliate market are to blame for the continual rise in ransomware hits. Access to compromised networks is cheap and attainable, thanks to a rise in the number of initial-access brokers and RaaS tools can turn a rookie criminal into a full-blown cyber criminal in just a short period of time.

Researchers have found startling numbers behind what the report calls an “unholy alliance” between ransomware operators and corporate-access brokers — which analysts said has fuelled a 935% spike in the number of organisations which had their stolen data exposed on a data leak site (DLS). Ransomware groups have increasingly used the tactic called double extortion, where they not only steal a company’s data, but threaten to publish it to ratchet up the pressure to pay a ransom. The report proves these groups are following through on the threats.

Over the past year, researchers identified the number of active initial-access brokers jumped from 85 to 229 and the sheer number of offers to sell access tripled, from 362 to 1,099. The researchers report said: “Poor corporate cyber-risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers.”

RaaS affiliates also grew this year. The report found 21 new RaaS affiliate programs over the past year and the number of new leak sites more than doubled to 28. Over the first three quarters of 2021, 47% more stolen company data was leaked on ransomware operators’ leak sites than during all of 2020, according to the report. However, the report reminds readers that paying the ransom is no guarantee the data won’t be leaked anyway.

Also, the real number of victims is probably larger than detected, the firm found: “Taking into account that cyber criminals release data relating to only about 10% of their victims, the actual number of ransomware attack victims is likely to be dozens more.”

The Conti ransomware gang is the worst offender, leaking data on around 361 targets and accounting for about 16.5 percent of all the exfiltrated data published on DLSs in 2021. To top it off, besides ransomware, the affiliate market for phishing scams is also on the march, with over 70 new programmes popping up over the last year, with scammers stealing over £7.5 million over the last year alone.

The news highlights the need for businesses to stay aware of the large threat cyber criminals pose to their future. Phishing Awareness Training can help inform your employees about what to expect and look out for, when it comes to receiving spam communications. Participants will receive real-life examples of phishing activity in their emails, with management being notified if they click through and engage with the scams. This will help highlight that certain employees need a bit more education around how to deal with cyber threats, which in the end can lead to a safer, more secure business.

HP Printer vulnerabilities exposed by criminals

More than 150 multi-function printers from HP have shown vulnerabilities that allow any type of device connected to a network to maximise the threat. Researchers found the exploitable vulnerabilities in the HP multi-function printers in the spring of 2021 – before promptly informing HP.

As a result, HP has updated the printers’ firmware and released advisories on November 1. The researchers discovered two separate attack vectors – one requiring physical access, and another that could be triggered remotely from a malicious website. The physical attack required no more than five-minutes access to the printer for cyber criminals to find their way into the system. Researchers found two exposed ports on the communications board, which could be accessed by removing a single screw. Printers are often unmonitored and sometimes in their own room, which meant that attackers disguised as maintenance engineers could visit the printer, compromise it, and leave the building within just a few minutes.

Researchers added: “If you compromise just one of the printers, you can pivot and move laterally to more interesting parts of the network.” The attack consists of enticing a user to a malicious website. While connected, the attacker would be able to send a remote printing instruction to the user company. That instruction could be to print a malicious document, introducing malware into the printer. The scenario is ideal for direct social engineering to get a user to visit the malicious site.

Again, once the printer is compromised, the attacker can move laterally into other parts of the network. Or, researchers said: “They could just sit quietly within the printer and read all the documents, letters and reports that are sent to it for printing. If the USB port is enabled (to allow users to print from a memory stick), they can see everything else on the stick – and, if they wanted to, infect the stick itself for further potential lateral movement.”

The good news for businesses was that exploiting the vulnerabilities was not easy and would require a hacker with expertise. Researchers have seen nothing to suggest that these vulnerabilities may have been exploited before they were fixed, but that it – in common with most security researchers – has little printer telemetry to examine. To mitigate against any physical attacks, researchers recommend that printers should be monitored by CCTV. This wouldn’t prevent an attack but may deter an aggressor, and would help any investigation into an attack. Another suggestion could be anti-tamper stickers to be placed on the printer’s communication board – a damaged sticker would immediately indicate an attempted attack.

Neuways advises users of HP printers update the firmware of their devices as soon as possible to avoid any issues.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.