TeaBot Wreaks Havoc, New Malware Strains run Wild, Small Business Ransomware, Microsoft Office 365 Insider Threats, CISA Issues Subpoena

1.  A New and Lethal Banking Trojan, TeaBot, Wreaks Havoc For European Financial Institutions

• Cybersecurity experts warn users of a new Android Trojan currently being exploited in the wild against banks and other financial institutions in the Netherlands, Spain, Belgium, and Italy. This trojan is called ‘TeaBot’ (or Anatsa), and it is used to hijack users’ credentials via SMS messages.
• Once TeaBot is successfully installed on a victim’s device, an attacker can view a device’s screen in real-time. Additionally, this trojan allows the attacker to deploy system commands to manipulate accessibility services on said device.
• This new and lethal trojan masquerades as an application used to facilitate mail package delivery for companies, such as DHL, VLC, and UPS. Additionally, this rogue application also acts as a malware dropper, used to load a second-stage payload. This second stage payload then gains elevated access, thereby disabling security controls, from Google Play Protect and re-routing Google Authenticator codes from a user’s text message to an attacker’s remote server.
• The use of ‘TeaBot’ as an exploit tool against financial institutions was first discovered in January 2021. According to security researchers, this banking trojan is still in its early development stages. However, attackers are actively targeting financial applications (web and mobile apps).

Expert Commentary: As the COVID-19 pandemic evolves, businesses have opted to use mobile and web applications to facilitate day-to-day business operations. This new banking trojan uses a similar technique as Flubot’s by sending spoofed text messages and pretending to originate from courier companies. The URLs often shared in said spoofed text messages usually appear to take victims to website pages that are identical to popular courier companies, including UPS. However, they are used to trick victims into partaking in multi-layer compromises. The specific end goal of TeaBot is to gain elevated privileges, record keystrokes, capture screenshots, and steal login credentials along with payment card information in near real-time. Like most stealthy banking malware, TeaBot is highly stealth and fights back against native security controls.

Learn More

2.  Sophisticated Attackers Release Three New Malware Strains Into the Wild

• In December 2020, a state-sponsored cyber threat group, UNC2529, released two newly developed phishing scams that strategically targeted 50 global organizations. UNC2529 has now released three new lethal malware strains dubbed by security researchers as “Doubledrag” – Doubledrop (a dropper) and Doubleback (a backdoor).
• This sophisticated attack campaign starts with a phishing email, including a poisoned URL used to drop the malicious payload. This malicious payload, Doubledrag, then downloads Doubledrop, which is an obfuscated PowerShell script used to plant a 32-bit – 64-bit backdoor (Doubleback) within targeted systems.
• The backdoor-based malware is a command-and-control tool, which automatically inserts malicious plugins onto a host system, and reports back to its remote controllers. Unfortunately, these new malware strains are incredibly stealthy, thus difficult to detect by existing security controls.

Expert Commentary: The Triple DOUBLE malware ecosystem or the “trifecta” comprises a downloader (doubledrag) or sometimes an Excel document, a dropper (doubledrop), and a backdoor (doubleback). The initial infectious vector begins with a phishing email that contains a link to download a malignant payload that contains an obfuscated JavaScript downloader. Once executed, DOUBLEDRAG connects with its C2 server and downloads a memory-only dropper. The dropper, DOUBLEDROP, is executed as a PowerShell script containing 32-bit and 64-bit backdoor DOUBLEBACK. One interesting reality about the entire ecosystem is that just the downloader exists in the file system. The remainder of the components is serialized in the registry database, making their detection harder, particularly by file-based antivirus engines.

Learn More

3. Ransomware Attacks Against Small Businesses Increased By 300% in One Year

• According to the U.S. Secretary of Homeland Security, Alejandro Mayorkas, ransomware attacks (against small and medium-sized businesses) have increased by 300% over the past year costing victims an estimated total of $350 million.
• Secretary Mayorkas further said that small businesses are the primary target for ransomware gangs, as they are the most vulnerable demographic despite being the backbone of the U.S. economy.
• To effectively battle these frequent ransomware attacks, the U.S. Department of Homeland Security (DHS) has collaborated with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to carry out sprint exercises. Their goal is to educate and equip small businesses with the tools required to defend against emerging attack tactics, techniques, and procedures (TTPs).

Expert Commentary: While large businesses may present themselves as more lucrative prey, small businesses are appealing targets because of their lack of resources to defend against such attacks. Small businesses lack essential computer defense awareness, making them a perfect target. Many reports by Intelligence experts agree that almost 80% of these small and medium scale businesses never implement data protection, email security and do not have proper cybersecurity awareness. This leads to employees unable to identify potential threats and attacks. Most small companies experience ransomware attacks, and the most frequent attack vectors used by attackers were phishing, social engineering, spoofed websites, and malvertisement.

Learn More

4.  Malicious Microsoft Office 365 Apps Are Top Targets for Insider Threats

• Attackers continue to discover innovative ways to target Microsoft Office 365 to gain unauthorized access into elevated user accounts. When a user logs in, the link prompts them to install an app, which resembles a tool required to conduct daily business functions. When installed, the app then gives an attacker persistent and password-free access to the user’s emails and files.
• Said malicious apps allow attackers to remotely bypass multi-factor authentication (MFA), as they are being approved by users and do not require a subsequent sign-in. These apps can stay there indefinitely, unaffected by password changes until removed by the user. The only remedy so far is to avoid installing apps from a non-verified vendor.
• In newly popular Microsoft Office 365 scams, attackers allow users to access legitimate resources and capture their OAuth Authentication credentials.

Expert Commentary: Attackers use numerous techniques, such as application impersonation strategies, to lure unsuspecting users. After such, said attackers create and spread cloud-based malware from within a trusted IT infrastructure, causing poisoned applications to permeate across an entire organization. Most attackers who engage in this style of compromise are often known to mimic legitimate emails to conduct BEC fraud. As attackers continue to innovate their attack methodologies, a fake phishing link is no longer required to access an otherwise secured account. Instead, attackers use the OAuth authentication method to bypass multi-factor authentication and persist even after an account password has been reset.

Learn more

5.  CISA Uses Subpoena Authority to Contact Vulnerable US Companies

• For the first time, the U.S. Department of Homeland Security’s cybersecurity agency (CISA) used its newly acquired subpoena authority to directly contact U.S. Internet Service Providers (ISPs), whose software was vulnerable to threat actors.
• In the past, CISA would otherwise rely on third-party communication channels to notify ISPs about potential vulnerabilities within their products. With CISA’s subpoena authority, the agency can now legally acquire a full list of ISP clients whose computing environment and/or services might be targets of future or ongoing cyberattacks.
• CISA’s subpoena authority is a direct response from the Biden Administration to tackle large-scale security incidents that can impact critical supply chain infrastructures, thus resulting in a national security disaster.

Expert Commentary: The Cybersecurity and Infrastructure Security Agency (CISA) works nonstop to identify and mitigate online cybersecurity vulnerabilities which cover our nation’s critical infrastructure. A vital component of these efforts includes notifying critical infrastructure components of vulnerability in their frameworks. However, at times CISA analysts identify or receive information about vulnerable systems but cannot find contact information for the owners or administrators. Therefore, section 2209’s subsection “o” of the Homeland Security Act (6 U.S.C. § 659(o) provides CISA with the legal and administrative power to issue subpoenas for critical systems data related to certain IT operations. This could help to identify and notify an organization of looming cyber risks targeting their infrastructure. The cybersecurity industry is yet to decipher how far-reaching CISA’s subpoena powers are now because it has not been implemented as often.

Learn More