Phishers Using Azure Blog Storage to Host Phishing Forms with Legal Microsoft SSL License

Cybercriminals are utilizing Microsoft Azure Blog storage to host phishing forms. The site hosting the malevolent files has an authentic Microsoft SSL license which adds genuineness to the campaign. Similar methods have been used in the past for Dropbox phishing cheats and attacks that mimic other cloud storage platforms.

A usual phishing situation involves an electronic mail being transmitted with a button or hyperlink that the user is requested to tick to access a cloud-hosted file. When the link is clicked they are led to a website where they are needed to enter login identifications – Such as Office 365 identifications – to retrieve the file.

At this stage, the scam often falls down. Oftentimes the webpage that is visited seems strange, doesn’t begin with HTTPS, or the site has an illegal SSL certificate. Although visiting such a domain a large red flag will be raised. Nevertheless, if the user visits a usual looking domain and the SSL credential is legal and has been allotted to a trustworthy brand, the possibility of the user continuing and entering login identifications is far higher.

That is precisely the case with Azure blog storage. Although the domain might seem unknown, it’s a legal Windows domain finishing with .blob.core.windows.net and is safe with an SSL credential. An additional check will disclose that the certificate is legal and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will emerge and identifications will need to be entered to get access to the document – electronic mail and password. This is likely to appear entirely reasonable since the user is retrieving a Microsoft document hosted on a Microsoft site.

Nevertheless, entering in identifications into the login box will see that information transmitted to a server managed by the attackers. The user will be informed that the document is being opened, even though they will be guided to a different Microsoft site. Although this is a red flag, by this time it is too late as the user’s identifications have already been thieved.

In this instance, it was Office 365 identifications that the attackers were trying to get, although the scam might similarly be conducted to get Azure identifications or other Microsoft logins.

Avoiding email-based phishing attacks is easiest with anti-phishing controls to safeguard the electronic mail gateway and avoid messages from reaching inboxes. An advanced spam filtering solution will make sure that the bulk of electronic mails are obstructed. Office 365 users must strongly consider extending Microsoft Office 365 with a third-party spam filter for better safety.

No anti-phishing solution will avoid all phishing electronic mails from reaching inboxes, so it is crucial for workers to be taught safety best practices and to get specific anti-phishing training. Besides providing training on the most common phishing cheats, it is important for end users to be educated on phishing cheats that misuse cloud facilities and object store URLs to make sure cheats like this can be identified as such.

Cofense Study Reveals Extensive Misuse of Zoho Email by Keyloggers

Latest research from Cofense has shown there has been a substantial increase in keylogger activity in 2018 which backs up research carried out by Microsoft that indicated the revival of a keylogger known as Hawkeye.

Keyloggers are information-stealing malware that record keystrokes on a computer and other input from human interface devices (HUDs) such as microphones and webcams. A lot of modern keyloggers are also capable to copy information from the clipboard and take screenshots. Their purpose is to get login identifications, passwords, and other confidential information.

That information is recorded but should then be transmitted back to the attackers without being noticed. There are different methods that can be used to get the thieved data. The information can be conveyed to an IP, Domain, or URL, but one of the most usual ways keyloggers exfiltrate data is through electronic mail.

The people that use keyloggers register free electronic mail accounts to receive the thieved information, and Cofense has found that the biggest single electronic mail provider used to get keylogger data is Zoho, the Indian supplier of online office suite software. After reviewing the terminus of information thieved by keyloggers, Cofense found that 39% of electronic mails went to Zoho accounts, compared to 7% that were sent to Yandex accounts, the second most usually misused electronic mail platform.

The purpose why keyloggers are using Zoho is not abundantly obvious, even though Cofense scientists propose it is the lack of safety controls that make the electronic mail facility popular. For example, 2-factor verification is available for Zoho electronic mail accounts, but it is not compulsory. Electronic mail accounts can be opened free of charge and there are comparatively few controls over who can open an account. Cofense notes that the account registration procedure would be easy to automate with an easy script and that there is no requirement to use a mobile phone for confirmation.

The statement is more bad news for Zoho, which was lately provisionally taken offline by its registrar after reports that one of its facilities was being exploited and used for phishing producing an outage for its 30 million+ users.

Zoho has now replied to the report and has announced that it is taking measures to avoid misuse of its electronic mail facility and will soon need all new accounts to include a mobile phone number for confirmation, including its free accounts. Zoho will also boost its efforts to check outgoing SMTP and will be looking for doubtful login patterns and will stop users who seem to be misusing its facility.

“We are also narrowing our rules for all users. We have lately reviewed and improved our policy around SPF (sender policy framework) and applied DKIM (domain key identified mail) for our domain. This will bring about a solid DMARC policy that we will also publish,” said Sridhar Vembu, creator and CEO of Zoho.

Vembu also clarified that it’s not the only cloud facility supplier that is aimed in this way, “ Unluckily, phishing has become one of the bad side-effects of Zoho’s fast progress, particularly the progress of our mail facility. Since Zoho Mail offers the most generous free accounts, this gets worsened as more malevolent actors take benefit of this huge customer value. However, we are clamping down on this severely.”

Adobe Repairs Actively Abused 0-Day Weakness in Flash Player

On Wednesday, December 5, 2018, Adobe released an update to rectify a weakness in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has previously attacked a healthcare service in Russia that is used by senior civil servants.

The weakness was recognized by researchers at Gigamon who passed on details of the weakness to Adobe in late November. Qihoo 360 scientists lately recognized an advanced constant threat campaign that was actively abusing the weakness.

The weakness is being abused using a particularly created Word document which is being dispersed using a spear phishing campaign. The campaign is extremely targeted; however, it is possible that other threat groups might try to abuse the same weakness in bigger, less-targeted campaigns.

The spear-phishing campaign used social engineering methods to deceive the receiver into opening a malicious Word document that impersonated as a worker survey. The document was transmitted as a .rar attachment to the electronic mail, with the compressed file having the document, the exploit, and the payload. The Word document had a malevolent Flash Active X control in the header.

Upon opening the document, the user is presented with a Microsoft Office alerting that the document might be damaging to the computer. If the content is enabled, the malevolent code will be performed, the weakness will be abused, and the attacker will gain command line access to the user’s system.

The payload, named backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is performed, system information will be gathered which will be sent back to the attacker’s distant server through HTTP POST. Shellcode will also be downloaded and run on the infected appliance.

The weakness, followed as CVE-2018-15982, is present in type 31.0.0.153 and all earlier types of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Types 31.0.0.108 and earlier of Adobe Flash Player Installer also have the weakness.

Users are suggested to update to type 32.0.0.101 (Type 31.0.0.122 of Adobe Flash Player Installer) as soon as possible. The update also repairs the Insecure Library Loading (DLL hijacking) privilege escalation weakness CVE-2018-15983.

Persistent New LoJax Rootkit Survives Hard Disk Substitution

Oct 7, 2018

Security researchers at ESET have identified a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are difficult to detect and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is detected, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to be theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the installation of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to install the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit installed. The rootkit was installed on an older appliance which had several other kinds of malware installed. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for detecting malware at the UEFI/BIOS level.”

Enhanced Remote Desktop Protocol Attacks Prompts IC3 to Issue Alert

The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to companies concerning the misuse of distant administration tools such as Remote Desktop Procedure. The warning was prompted by a substantial increase in attacks and darknet marketplaces vending RDP access.

Remote Desktop Protocol was first launched into Windows in 1996 and has proven to be a valuable tool. It allows workers to connect to their office computer distantly and IT divisions to access computers to install software or provide help.  When connected through RDP, it’s possible to gain access to the Desktop, convey mouse and keyboard commands, and distantly take complete control of a computer.

Obviously, RDP has been an attractive aim for hackers who use it to steal data, download malevolent software, fit backdoors, or even damage computers.

Every now and then, vulnerabilities are identified in RDP which can be abused by hackers, therefore it is important to make sure systems are completely patched and modern. Nevertheless, attacks happen by getting login identifications. This is typically achieved through brute force attacks to predict vulnerable passwords. Several possible password and username blends are tried until the right one is predicted.

Passwords can also be obtained via man-in-the-middle attacks, such as when workers login to their work computers through RDP on public WiFi hotspots. Several businesses leave RDP ports open and accessible over the Internet (port 3839 particularly) which makes it much easier for RDP to be hacked.

Latest attacks have seen cybercriminals gain access through RDP and steal data or install ransomware, with the latter particularly common. The threat actors behind SamSam ransomware mainly use RDP to gain access to business computers to install ransomware.  This method has also been used to disperse ransomware variations such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and a lot more.

IC3 has advised all companies to carry out an audit to decide which appliances have RDP enabled, including cloud-based virtual machines, and to disable RDP if it’s not needed. If RDP is essential, strong passwords should be set, 2FA used, and rate limiting must be applied to obstruct IPs that have made too many failed attempts to log in. Patches must be applied quickly to make sure vulnerabilities cannot be abused.

Companies must make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to contact it through the firewall. Obviously, strong passwords must also be used for the VPN and the latest type of VPN software used.

Since RDP is frequently used to install ransomware, it is vital to regularly back up data and to test standbys to make sure files can be recovered in the event of a tragedy.

Danabot Banking Trojan Utilized in U.S. Campaign

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign targeting clients of Australian Banks. More campaigns were later noticed targeting clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being targeted.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an embedded hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been identified which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign targeting U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails intercepted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”

Q2, 2018 Saw an 86% Increase in Cryptocurrency Mining Malware

2018 has proven to be the year of cryptocurrency mining malware. Cybercriminals are gradually discarding other types of malware and ransomware in support of malware capable of hijacking computers and mining cryptocurrency.

Mining cryptocurrency needs computers to solve the difficult problems necessary to confirm cryptocurrency dealings and add them to the blockchain account book. That needs substantial processing power and takes time. In exchange for carrying out the service, the miner that resolves the problem is compensated with a small amount of cryptocurrency. In order for this to be lucrative, substantial computer processing power is needed. That can be accomplished in two ways. Purchasing the hardware or hijacking other people’s computers.

The high value of cryptocurrencies makes mining an attractive possibility, particularly if a cybercriminal can hire an army of computers to carry out the processing. One computer can earn a few dollars a day. 10,000 computers infected with cryptocurrency mining malware makes this a very lucrative operation. That fact has not been lost on cybercriminals.

2018 has seen a huge increase in the use of cryptocurrency mining malware. In the first quarter of 2018, McAfee informs there was a 629% increase in the number of cryptocurrency mining malware samples it interrupted. That rising tendency has continued all through Q2. As per the September McAfee Threat Statement, there was an additional 86% rise in identified cryptocurrency mining malware samples in Q2.

“Using cryptomining malware is simpler, more straightforward, and less dangerous than conventional cybercrime activities – causing these schemes to rise steeply in fame over the last few months. Actually, cryptomining malware has rapidly developed as a main player on the danger landscape,” said Raj Samani, chief scientist at McAfee.

Although PCs are most usually targeted, cybercriminals have now split out and are also using other Internet-connected appliances to mine cryptocurrency, including Android smartphones. These appliances have much lower processing power than PCs, however since they are comparatively easy to capture, the sheer number of appliances that can be infected more than makes up for their low processing power.

There has also been the main increase in the use of malware that abuse software weaknesses. These kinds of malware rose by 151% in Q2, 2018. “WannaCry and NotPetya provided cybercriminals convincing instances of how malware might use weakness exploits to gain a footing on systems and after that rapidly spread across networks,” said Christiaan Beek, Lead Scientist and Senior Principal Engineer at McAfee. A lot of malware variations have been created that impersonate WannaCry and NotPetya.

The McAfee report also demonstrates there was a 57% growth in ransomware samples in the previous year, and although use is still increasing, reputation is decreasing with just 27% increase seen in Q2, 2018.