Cyber Security News - August 2021
31/08/2021
DHS urges Microsoft customers to update Azure to avoid security flaw
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is urging Microsoft cloud customers to reset their security keys in light of a recent vulnerability that may have exposed customer data.
The flaw, discovered by researchers at Wiz, would have allowed any customer using Microsoft’s Azure Cosmos database to read, write and delete another user’s information without authorisation. Cosmos DB is used by thousands of organisations, including Coca-Cola, Exxon Mobil and a number of other Fortune 500 companies.
26/08/2021
Microsoft to add secure preview for Office 365 quarantined emails
Microsoft is updating Defender for Office 365 to protect customers from embedded email threats while previewing quarantined emails.
Microsoft Defender for Office 365 provides Office 365 enterprise email accounts with protection from multiple threats, including business email compromise and credential phishing, as well as automated attack remediation.
The soon-to-be-released update is designed to limit users' exposure to unwanted or malicious content by adding additional security controls to block embedded threats.
"We're changing the way users preview quarantined messages to provide additional security against embedded threats," Microsoft explains on the Microsoft 365 roadmap.
"With this change some components in quarantined messages will be distorted and not displayed by default. To see the full contents of the message, users can choose to reveal the full message."
Besides secured preview of quarantined emails, Microsoft Defender for Office 365 will also roll out other key quarantine management features that will make it easier for security operations (SecOps) teams and end-users to triage emails:
- Quarantine folder policy and user release request workflow
- Customer organization branding
- Streamlined email submission from the quarantine portal
- Robust release of bulk quarantined emails
- Quarantine support for shared mailboxes
25/08/2021
Modified Version of WhatsApp for Android Spotted Installing Triada Trojan
A modified version of the WhatsApp messaging app for Android has been trojanized to intercept text messages, serve malicious payloads, display full-screen ads, and sign up device owners for unwanted premium subscriptions without users knowledge.
"The Trojan Triada snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK)," researchers from Russian cybersecurity firm Kaspersky said in a technical write-up published Tuesday. "This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader."
23/08/2021
Largest DDoS attack ever reported gets hoovered up by Cloudflare
According to Cloudflare and their
blog post, they detected and mitigated a 17.2 million request-per-second (rps) DDoS attack - three times as large as anything they have seen before.
In a DDoS attack, a threat-actor tries to stop users from using an online service by making it so busy (overwhelming the target with requests), until the target crashes.
The target of this enormous DDoS attack was a customer of Cloudflare in the financial sector. Cloudflare reports that within seconds, the botnet bombarded the its edge with over 330 million requests.
The Cloudflare CDN is absolutely enormous, and is used by almost 20% of all websites, which means it can handle an absolutely enormous amount of traffic.
18/08/2021
Facebook Adds End-to-End Encryption for Audio and Video Calls in Messenger and Instagram DMs
Facebook on Friday (13/0821) stated that they are extending end-to-end encryption (E2EE) for voice and video calls for their Messenger, along with testing a new opt-in setting that will turn on end-to-end encryption for Instagram DMs.
"The content of your messages and calls in an end-to-end encrypted conversation is protected from the moment it leaves your device to the moment it reaches the receiver's device," Messenger's Ruth Kricheli said in a post. "This means that nobody else, including Facebook, can see or listen to what's sent or said. Keep in mind, you can report an end-to-end encrypted message to us if something's wrong." while mentioning that E2EE is becoming the industry standard for improved privacy and security.
17/08/2021
T-Mobile Confirms It Was Hacked
T-Mobile has confirmed hackers gained access to their systems in an announcement published Monday (16/08/2021).
The move comes after Motherboard reported that T-Mobile was investigating a post on an underground forum offering for sale Social Security Numbers and other private data. The forum post at the time didn't name T-Mobile, but the seller told Motherboard the data came from T-Mobile servers.
According to reports, 100 million people had their data compromised.
16/08/2021
Customer Service Credential Abuse and Data Theft on the rise according to Confidential Amazon Memo
A confidential memo from Amazon has explained that customer service credential abuse and data theft was on the rise, according to Motherboard.
Data theft, insider threats and imposters accessing sensitive customer data have apparently gotten so bad inside Amazon, the company is considering rolling out keyboard-stroke monitoring for its customer-service reps.
12/08/2021
Accenture Hit by LockBit Ransomware with Hackers Threatening to Leak Data
Accenture, global IT consultancy giant has become the latest company hit by the LockBit ransomware gang, according to a post made by the operators on their dark web portal, likely filling a void left in the wake of DarkSide and REvil shutdown.
"These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider," read a message posted on the data leak website. Accenture said it has since restored the affected systems from backups.
LockBit, like its now-defunct DarkSide and REvil counterparts, operates using a ransomware-as-a-service (RaaS) model, roping in other cybercriminals (aka affiliates) to carry out the intrusion using its platform, with the payments often divided between the criminal entity directing the attack and the core developers of the malware.
The ransomware group emerged on the threat landscape in September 2019, and in June 2021 launched LockBit 2.0 along with an advertising campaign to recruit new partners. "LockBit also claims to offer the fastest data exfiltration on the market through StealBit, a data theft tool that can allegedly download 100 GB of data from compromised systems in under 20 minutes," Emsisoft noted in a profile of the crime syndicate.
11/08/2021
Microsoft responds to PrintNightmare
Microsoft appears intent on turning the 'PrintNightMare' print spooler remote code execution vulnerability into an AdminNightmare, judging by its latest mitigation, which requires administrator privileges for Point and Print driver installation and update.
PrintNightmare began life as an accidentally disclosed zero-day at the end of June and permitted an attacker to run arbitrary code on Windows with SYSTEM privileges. A flaw in the Windows Printer Spooler service allowed miscreants to potentially run riot on exposed systems.
Security researchers pressed the hole and further vulnerabilities oozed out of the Print Spooler service.
Having initially told users to shut down Print Spooler, Microsoft's latest missive means it will require administrator privileges for Point and Print driver installation, a change that will hit all supported versions of Windows and turned up in this week's round of patches.
05/08/2021
The upcoming 'Super Duper Secure Mode' update for Microsoft Edge
Microsoft has announced that the Microsoft Edge Vulnerability Research team is experimenting with a new feature dubbed "Super Duper Secure Mode" which is being designed to bring security improvements without seeing significant performance losses.
When enabled, the new Microsoft Edge Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users' systems.
Right now, when enabled, Super Duper Secure Mode disables JIT (TurboFan/Sparkplug) and enables Control-flow Enforcement Technology (CET), an Intel hardware-based exploit mitigation designed to provide a more secure browsing experience.
In the future, Microsoft also wants to add support for Arbitrary Code Guard (ACG), another security mitigation that would prevent loading malicious code into memory, a technique used by most web browser exploits.
04/08/2021
Microsoft identify new Phishing Campaigns that are using Sharepoint
Microsoft researchers have discovered that threat actors are using spoofed sender addresses and Microsoft SharePoint lures in a new phishing campaign that is said to be “sneakier than usual”. These campaigns can slip through the usual security protections with the aim of fooling users into giving up their credentials.
Microsoft Security Intelligence researchers have also discovered the campaign targeting organisations that use Microsoft Office 365 by using the file-sharing aspect of SharePoint, they revealed in a tweet on 03/08/21.
The campaign spoofs display sender addresses that contain the target usernames and domains, as well as display names “that mimic legitimate services to try and slip through email filters".
04/08/2021
Video comms org, Zoom agrees $85m settlement
Video communication organisation, Zoom has agreed to an $85m settlement after a class action privacy lawsuit was filed in the US regarding their poor privacy security controls, an uprising in zoom-bombing, and data sharing policies. As part of the agreed settlement, Facebook is ordered to delete the user data obtained via the SDK.
Reported Zoom Issues:
- Zoom-bombing - when unauthorised users join privately held sessions on zoom with the intent to cause mayhem. Zoom-bombing exploded into life during 2020 and the introduction of COVID-19 lockdowns and restrictions. This disrupted many individuals and businesses who relied on the communication software to help ease business operations for remote working staff.
- End-to-end encryption - Zoom also claimed to offer end-to-end encryption, when they were using something called transport encryption. They later had to clarify that they meant data was encrypted at Zoom endpoints.
- Sharing data with social media companies - even if you don’t have an account with them. Zoom used Facebook’s Software Development Kit for app features, which resulted in data being sent to Facebook. The part about data being sent even without an account wasn’t made clear, according to Motherboard. As a result of the linked investigation, Zoom decided to remove the Facebook SDK. They also apologised for the oversight, and shut down “unnecessary device data” collection.
03/08/2021
Threat Actors are using Web Push Notifications to make AdRevenue
As many countries reintroduced COVID-19 lockdowns and restrictions earlier in 2021, there were once again many people
stuck at home with free time - not to mention an increase in online streaming. A recent report from Trend Micro has identified that threat actors are using push notifications in a unique case of click fraud against users who make use of illegal streaming sites.
When making use of illegal sites, users are usually bombarded with many advertisements opened up in new tabs and browser windows - as annoying as this may be, it's the price some users are willing to pay for not directly subscribing to particular paid services who legally provide the content.
Although these spammy advertisements help with the website running costs, the advertisements are only reaching users who are using these sites at the time - if this were to be for a sporting event, the advertisements would only receive a lot of impressions and clicks during the time of day the sporting event is relevant.
To counter this, unscrupulous advertisers are taking advantage of the 'push notification' feature included on many internet browsers to consistently push advertisements directly to users throughout the day. Once a pop-up is clicked, the user is taken through a series of doorway pages until the user reaches a legitimate page, which you may find surprising.
This is a very specific kind of scheme in which commissioned affiliates are attempting to earn more from the security companies by tricking more users to visit their websites.
What are push notifications?
Push notifications are clickable pop-up messages that appear on your browsers. They serve as a quick communication channel enabling companies to convey messages, offers, or other information to their customers. Subscribers can be anywhere on the browser and still receive these messages as long as they’re online or have their browsers running on their devices.
What you can do
Google is reportedly trying to crack down on the abuse of the browser notification feature, as they “mislead users, phish for private information or promote malware.”. As we do not know how long this process will take, we at JC Cyber Security recommend:
- Do not use untrusted websites - instead, ensure you are using a trusted source that has the permissions to display the content you are viewing
- Don't accept browser notifications from providers you don't know or you don't want
- Ensure your browser is doing everything it can to block unwanted content or tracking advertisements
- Getting in touch with one of our Cyber Experts
02/08/2021
Fake Call Centers are Tricking Users Into Installing Ransomware
An ongoing malicious social engineering campaign (dubbed 'BazaCall') where fake call centers are tricking victims into downloading malware capable of data exfiltration as well as deploying ransomware on infected systems has been identified.
BazaCall attempts to wrongly inform users through email that incoming subscription charges are due and will be charged to the victims account unless they call a certain number. Thereafter, the fraudulent call center attempts to trick the recipients by instructing unspecting users to download BazaLoader malware.
"BazaLoader (aka BazarBackdoor) is a C++-based downloader with the ability to install various types of malicious programs on infected computers, including deploying ransomware and other malware to steal sensitive data from victimized systems. First observed in April 2020, BazaLoader campaigns have been used by multiple threat actors and frequently serves as a loader for disruptive malware such as Ryuk and Conti ransomware." - The Hacker News
Because the emails sent are free of any malware related attatchments or links, the phishing emails are less likely to be flagged by phishing and malware detection software - ensuring each campaign reaches a larger audience.
If you are sucpicious of an email, text, or communication, we recommend not clicking on any links or downloading any attatchments. Reputable services will never ask you to share any personal identifable or sensetive information directly with them. If you require any further assistance, get in touch with one of our cyber experts today.
Follow Us
Be the first to know
You might also like
