1. U.S. Department of Homeland Security Issues a ‘System Patch’ Order to Federal Agencies
- Due to the recent volatile attack posture of Microsoft Exchange, the U.S. Department of Homeland Security’s (DHS) cybersecurity division issued a rare order to federal agencies, mandating them to immediately patch Microsoft Exchange on-premise products across their networks or disconnect the product entirely.
- The Emergency Directive 21-02 was issued on Wednesday (March 3, 2021), after Microsoft shared patches for four critical zero-day vulnerabilities, which are actively being exploited in the wild. By successfully exploiting said vulnerabilities, attackers can access on-premise Microsoft Exchange servers, thus allowing them to gain a persistent foothold and command-and-control access to enterprise-wide networks.
- According to the DHS, there have been ongoing and coordinated cyber-attacks being perpetrated by Chinese-backed hacking groups who are actively targeting U.S. organizations within multiple industries. This specific campaign appears to be exploiting Microsoft-based vulnerabilities.
SME Comments: Microsoft security experts, in collaboration with the U.S. government cybersecurity agencies, identified a new Chinese-sponsored threat group called ‘Hafnium,’ with advanced capabilities to circumvent vulnerabilities that are native to on-premises Microsoft Exchange servers. The Hafnium threat groups are known to conduct reconnaissance activities of email communication servers, leveraging zero day vulnerabilities and the poor security patch hygiene of unsuspecting organizations to create persistent backdoors and steal sensitive information.
2. BEC Scammers Develop New Attack Methods Against Investment Firms
- Business Email Compromise (BEC) scammers are employing a dynamic attack chain to target investors in investment funds, such as private equity or real estate funds. According to security experts, BEC scammers realized that their payout is often 7 times greater than average when they attack the U.S. financial sector.
- Leveraging the ‘capital call’ notices issued to investors, BEC scammers are now deploying fake ‘capital calls’ to investors who are looking to park large sums of money into lucrative business ventures. Using a fake capital call notice, said actors are able to reroute an average investment worth $809,000 via a spoofed wire transfer system that mimics that of an investment fund.
- In this type of attack, a man-in-the-middle tactic is employed to spy on legitimate email conversations between victims, who are often an investment fund and an investor.
SME Comments: Although wire transfer attacks are here to stay, threat actors have infused dynamic attack methodologies in their BEC attack chain to increase attack probability and impact. While the average payout from a BEC scam is $74,000, by targeting investment funds an attacker is guaranteed to make away with a larger score that is often difficult to track. To defend a financial institution against BEC attacks, it is critical that both the investment firms implement a robust cybersecurity strategy that includes an email security mechanism and a multi-layered approach to communication security.
3. Ryuk Ransomware Self-propagates to other Windows LAN Devices
- The Ryuk ransomware gang recently developed a new variant of the Ryuk ransomware which has self-replicating, worm-like capabilities – this allows the Ryuk ransomware variant to spread from one device to another, across a victim’s local area network (LAN).
- According to the French National Cybersecurity Agency (Agence Nationale de la Sécurité des Systèmes d’Information) that discovered this ransomware mutation capability, this new variant of the Ryuk ransomware replicates itself from one device to another by implanting residues of its strain onto ‘scheduled task’ mechanism within the Windows domain. Therefore, once the task is launched by an unsuspecting user, the ransomware strain then spreads itself onto every machine with Windows Remote Procedure Call (RPC) access.
- Although the newly-discovered self-replication capabilities of the Ryuk ransomware does not include a mechanism that excludes it from re-encrypting systems, the new variant can definitely be blocked from injecting other devices across a LAN by changing the passwords (or disabling the account) of privileged domain accounts, which is often used to facilitate the self-propagation process to other devices.
SME Comments: The Ryuk ransomware gang was behind one third of all ransomware attacks in 2020. The Ryuk ransomware is particularly dangerous because it is often targeted, manual, and leverages multi-stage attack methodologies that have been observed in Emotet and TrickBot malware. Due to the high impact of payloads and operational sophistication displayed by the Ryuk ransomware gang, security experts are of the cautious opinion that state-sponsored actors are most likely behind the Ryuk ransomware.
4. Online Banks Are Prime Targets For Mobile Adware Attacks
- The leading mobile threat type in 2020 was banking adware, which accounted for about 57% of cyberattacks. While local bank offices closed due to COVID-19, threat actors focused their attention on the deployment of mobile adware campaigns against online banking operations. As such, incidents of mobile adware targeting almost tripled in scale, last year.
- The most popular mobile malwares targeted Android Operating Systems (OS), and the top four malware families were banking trojans – GINP, Cebruser, Ghimob and Cookiethief.
- According to security trend researchers, there has been a focus on targeted mobile attacks that are designed with sophisticated quality which tends to differ from the previous mass infection campaigns seen over the years.
SME Comments: Banking trojans (malwares) are specifically designed to steal credentials for multiple financial systems, such as online banking applications and cryptocurrency wallets. Although rudimentary in architecture, most mobile adwares that target online banking infrastructures are extremely effective and tend to spread at rates faster than other traditional malwares. Armed with the knowledge of the inner workings of automated mobile threat detection processes, threat actors are now designing banking trojans with self-protecting mechanisms that are capable of hiding within trusted applications so as to prevent itself from being uninstalled. While Android OS is the prime target for most banking malware, iOS systems are starting to be an lucrative attack surface for cybercriminals.
5. Google SEO Abused to Expand Payload Delivery
- Security researchers discovered the famous malware loader, Gootloader, used to distribute ransomware (such as REvil ransomware), has undergone a ‘facelift.’ Gootloader now has a sophisticated malware loader framework, which allows it to expand the number of payloads it can deliver to unsuspecting victims.
- Additionally, Gootloader’s facelift allows it to perform multi-stage attack processes; display obfuscation tactics; and implement search engine optimization (SEO) poisoning tactics, which takes advantage of SEO-friendly terms and techniques in order to rank malicious websites higher on Google’s search index.
- By leveraging Google’s SEO search index, the threat actors behind Gootloader are able to attract more attention to attacker-controlled websites, which often contain malicious links to an entire ecosystem of attack chains. This appears to be a lucrative business model, which will most likely be marketed to cybercriminals who are looking to expand their ransomware enterprise.
SME Comments: Threat actors are turning to SEO poisoning tactics in a calculated effort to divert legitimate traffic to an ecosystem of poisoned information assets. By compromising the back-end server of legitimate websites (using stealthy and obfuscated mechanisms), threat actors are able to circumvent content management systems by rerouting the vitality of specific SEO keywords towards an attacker-controlled website. Because Google’s algorithms are positioned to push high-ranking SEO keywords to the top of search results, unsuspecting individuals could easily become prime targets even though they are browsing legitimate websites.