US Gov. Using Outdated Android OS, Ransomware Demands Increase, Malware Detection Falls Short, Microsoft Teams and Sharepoint Bug, Pictures Steal CC Data | aiden IT Security News

1.  99.2% of U.S. Government Android Users Are Using Outdated OS Versions

• Out of the 200 million+ mobile devices being used by local, state, and federal government employees, a majority of said devices run on Android operating systems (OS). Shockingly, only 0.08% of those devices are operating on the newest version of said OS, which exposes those critical devices to over 636 known vulnerabilities.
• Due to this lack of robust security patch hygiene, in concert with the pandemic, U.S. government employees noticed a 20X spike in malicious activities, such as drive-by downloads, phishing, etc.
• According to security experts, examples of actual vulnerabilities discovered by the government include: unauthorized connections to rogue servers in foreign nations; unrestricted access to sensitive file systems; access to device camera and media partitions; and unnecessary permissions that allow apps to view data from other apps on a device.

SME Comments: Threat actors understand that mobile devices are currently being used to conduct critical business operations, more so today than ever before. Therefore, malicious activities are being customized to target specific mobile device operating systems (OS), including Android devices. Most government IT teams tend to wait for long periods of time to test newly deployed application patches or OS updates to ensure compatibility with current computing environments. Unfortunately, such a delay in the implementation of available patches and updates increased the chances of exploitation by about 65%.

Learn More

2.  The Largest Ransomware Demand Hits $30 Million

• Over the past year, ransomware attacks rose by 171%, as cybercriminals continue to exploit gaps in the recent digital transformation that occurred as a result of the COVID-19 pandemic.
• With no signs of slowing down, ransomware payoffs represent large revenue assets for cybercriminals – ransoms paid to cybercriminals have nearly tripled since 2020, as organizations scramble to innovate permanent fixes for ransomware-based vulnerabilities.
• In 2019, security researchers discovered that ransomware attacks targeting organizations across North America and Europe had an average ransom demand of $115,123. However, in 2020 the ransom demand rose to $312,493.

SME Comments: Due to the increasingly poor security posture of most organizations, ransomware attacks are here to stay! As such, basic ransomware tactics, techniques, and procedures (TTPs) are now being coupled with more sophisticated attack methodologies, to increase likelihood of success and impact on a victim’s infrastructure. With greater levels of success, notable ransomware gangs, such as Ryuk, DoppelPaymer, and Egregor have become more emboldened as they collaborate with state-sponsored advanced persistent threat (APT) actors while seeking greater ransom payments.

Learn more

 3. Phishing Sites Bypass Malware Detection With Ease

• As phishing attack techniques evolve, threat actors have enhanced their phishing websites to incorporate JavaScript capabilities to bypass detection by inspecting whether a user is browsing said site from a virtual machine (VM). This new capability puts security experts at a disadvantage because VMs are typically used by security red teams to conduct security assessments.
• To accurately detect VMs, unique JavaScripts are being designed to check if the color depth of the user’s screen is less than 24-bits or if the screen’s height and width are less than 100 pixels.
• Currently, JavaScript is being leveraged to conduct easy, yet powerful attack processes against everyday business tools, including PDFs, file systems, database instances, etc. JavaScript’s content modification capabilities makes it a dangerous tool in the hands of cybercriminals and state-sponsored threat actors alike.

SME Comments: By avoiding malware detection, threat actors are able to perform several customized attacks, such as lateral movement and/or deploying ‘logic bomb’ malwares into a corporate environment, which are often activated via remote command-and-control infrastructures.

Learn More

4.  Unknown Bug Deletes Files on Microsoft Teams and Sharepoint

• Microsoft Teams and Sharepoint users are reporting that their files are missing from their workstation, and ending up in the recycle bins. These reports arose following the Microsoft outage that occurred on March 15th, 2020 – this outage affected Office 365, Teams, XBox Live, Exchange Online, Sharepoint, and Outlook.
• According to the tech giant, Microsoft, the said outage occurred as a result of a misconfiguration issue with their Azure Active Directory.
• The mysterious factor with this IT event happens to be that system folders remained intact, meanwhile, files were moved to either a user’s cloud-based recycle bin or their PC’s native recycle bin. The fact that this eerie process did not affect folders that were saved on the same database path leaves security experts wondering if a malicious bug affected one of Microsoft’s Azure infrastructure.

SME Comments: It is a known fact that Microsoft’s services have been a target by advanced persistent threat actors, looking to compromise as many corporate users are possible. As such, triggering a bug in one of Microsoft’s configuration processes would not be a far-fetch feat for attackers. At this time, Microsoft has advised all impacted users to resync their files, to restore files back to their appropriate locations – usually, resyncing is carried out by restarting all affected PCs.

Learn More

5.  JPG Files Used to Save Stolen Credit Card Data

• According to security researchers, Magecart attackers have added a new tactic, which includes hiding stolen payment card data using .JPG files. This illusive method allows the financially-motivated cybercriminals to move within a victim’s network without drawing much attention to themselves.
• Magecart cybercriminals facilitated this attack methodology by injecting PHP codes into a file called “./vendor/magento/module-customer/Model/Session.php,” which then allows the malicious code to create a fake .JPG file with enough storage space for stolen alphanumeric values.
• With stolen data conveniently stored within undetected .JPG files, Magecart attackers are able to access and download any stolen information at will because security experts won’t think to suspect a .JPG file on the network.

SME Comments: Magecart attackers are known to compromise e-commerce websites using card-skimming JavaScript codes, with the goal of circumventing the cart checkout process to steal customers’ financial data. Although retail-based companies have been trying to contain financially-motivated attackers, Magecart is one attacker group that has successfully leveraged popular applications and tools to hide their tracks. Security experts with robust security hygiene are now using automation to scan for known and unknown loopholes infrequently used applications.

Learn More