Highlights


Two weeks have passed by, witnessing cyberattacks of all kinds against individuals, public and private entities.

In this edition of the newsletter we will cover:

  • Cybercrime trends
  • Phishing campaigns
    • Fake cPanel advisory
    • Homoglyph attacks and credit card skimming
    • BEC spear-phishing and financial executives
  • New and upgraded tools
    • MassLogger and credential harvesting
    • Bisonal backdoor, Eastern European targets
  • Vulnerable applications and plugins
    • TeamViewer
    • Facebook Chat

 

Cybercrime trends


Per a recent report from Interpol's Cybercrime Directorate, there is a rise in:

  • Ransomware and DDoS attacks, possibly due to the potential for high impact and financial gain
  • COVID-19 themed domain registrations and COVID-19 related phishing emails impersonating government and health authorities
  • Remote Access Trojans (RATs), providing the criminal underground a way to compromise networks, steal data, and divert financial gains

While Cerber, NetWalker and Ryuk ransomware packages appear to be quickly evolving to maximize damage and financial profit, LockBit ransomware may be shifting focus from individuals and small business to corporations, governments, and critical infrastructure.

When it comes to data harvesting, Emotet and Trickbot are amongst the leading packages.

 

Phishing emails


Fake cPanel advisory

In a recent credential pilfering campaign, scammers sent out a fake cPanel advisory to warn recipients about fabricated security vulnerabilities affecting cPanel and WHM installations 88.0.3+, 86.0.21+ and 78.0.49+.

To add a sense of legitimacy, the threat actors had incorporated cPanel’s logo into their emails. Furthermore, little or no grammar and spelling mistakes had been made, and language commonly found in security advisories had been adopted.

To further trick users, the attackers registered a lookalike domain, which was used in combination with Amazon Simple Email Service to send out the emails. By clicking on the “Update your cPanel & WHM installations” button within the email body, users were redirected to a fake cPanel login page that prompted them to enter their account credentials.

Recommendations: Ensure anti-virus software and associated files are up to date. Scan your environment for Indicators of Compromise. Consider blocking / setting up detection for all URL and IP based IoCs. Keep applications and operating systems patched. Exercise caution with attachments and links in emails. Educate employees on the risks of phishing.

 

Homoglyph attacks and credit card skimming

Analysts documented a recent attack wave in which fraudsters were leveraging the homoglyph technique to deploy the INTER credit card skimming kit.

Homoglyph attacks are extremely simple to pull off. Minor changes or mistakes are made in domain names to make the website addresses appear legitimate, when in fact, rogue parties are relying on visitors not paying attention. For example, fleldsupply.com vs. fieldsupply.com (l instead of i) and winqsupply.com vs. wingsupply.com (q instead of g).

The INTER skimming kit is often delivered through suspicious HTML or JavaScript. In this instance, however, the malicious code was embedded in favicon files which are small images associated with websites. When victims submit their information via the legitimate domain's payment page, INTER would harvest their data and transfer it to the C2 server. 

Malwarebytes believes that Magecart Group 8 is the orchestrator of these attacks due to the use of a re-activated domain previously tied to the group.

 

BEC spear-phishing and financial executives

The Office 365 accounts of financial executives in more than a thousand organizations globally have been targeted in a BEC spear-phishing campaign since March 2020. Trend Micro attributes the campaign to a threat actor named "Water Nue". The phishing messages, which pretend to be new voicemail notifications, are sent from cloud-based email services. The sending name is typically "Swiftme" and is associated with forged company domain names. There is a link in the email to download or listen to the voicemail. If clicked, the link leads the victim to a fake Office 365 login page. The report mentions that over 800 account credentials have successfully been obtained. Once a domain has been reported or blacklisted, the operators simply move on to a new one.

 

New and upgraded tools


MassLogger

Security experts at FireEye have analyzed a new .NET credential stealer, MassLogger, which is using techniques built into Microsoft Windows to hinder static analysis.

In the first phase of the attack, a launcher is used with anti-debugging capabilities. During the second phase, a loader with XOR-decrypting functionality decrypts, loads, and executes the final payload with the MassLogger malware. A log file is dropped, identifying the rogue software’s family, version, and configuration options. Afterwards, a technique called Just-In-Time (JIT) Hooking deploys a hook at the compileMethod() function which happens before the Microsoft Intermediate Language (MSIL) is compiled into assembly. Using JIT allows the authors to make analysis of the nefarious content nearly impossible.

 

Bisonal backdoor, Eastern European financial and military targets

An Advanced Persistent Threat group, named CactusPete by some while Karma Panda by others, has launched a new campaign focused on military and financial groups across Eastern Europe using a new variant of the Bisonal backdoor.

Cisco Talos researchers say the APT is likely state-sponsored, belongs to the Chinese military, and is focused on intelligence-gathering and espionage. Per Kasperksy Labs, CactusPete has been known to strike diplomatic and infrastructure organizations in search for "very sensitive" information. 

As a cyberespionage tool, the backdoor can maintain persistence on an infected machine, scanning drives, listing and exfiltrating files of interest, deleting content, killing system processes, and executing code, such as the launch of programs and remote shells. 

Bisonal relies on dynamic DNS to communicate with a command-and-control (C2) server, has continually improving obfuscation modules, and in the latest versions, uses hardcoded Cyrillic code during string manipulations and includes XOR encoding and support for proxy servers. The deployment of more complex code and tools, including ShadowPad server software, is indicative of the APT receiving new support and resources in recent months.

 

Vulnerable applications and plugins


TeamViewer

A security researcher has reported a severe vulnerability (CVE 2020-13699) linked to the popular remote desktop software TeamViewer and the way it handles unquoted URIs. The more concerning aspect is that an attack could be launched against targeted individuals without much interaction from them.

To successfully exploit the flaw, one needs to embed a malicious iframe on a website and lure the victims into visiting a specially crafted URL. Upon click, TeamViewer will automatically launch its Windows desktop client and initiate a remote connection to a perpetrator-controlled SMB share.

This, in turn, triggers the SMB authentication attack, leaks the system's username and NTLMv2 hashed version of the password to the attackers, allowing them to use the stolen credentials to authenticate to the victims' computer or network resources.

Recommendation: Upgrade the software to version 15.8.3.

 

Facebook Chat

A high severity vulnerability was found in Facebook’s official chat plugin for WordPress sites. The plugin is designed to add a “Facebook Messenger” chat pop-up to any WordPress site and connect a site owner’s chosen Facebook page to receive messages and interact with site visitors.

The flaw is linked to a WordPress AJAX action (wp_ajax_update_options) with missing capability to verify that a request is coming from an authenticated administrator.

This makes it possible for any authenticated user, including subscriber level and default accounts, with access to the /wp-admin area of a WordPress site to update the Facebook chat’s page ID (fbmcc_pageID) that will be connected to the pop-up and the language localization (fbmcc_locale) that should be used. In case of Cross Site Request Forgery (CSRF) protections in place, the latter could be discovered in the source code and bypassed.

This vulnerability could easily go undetected by a site owner, causing site visitors to interact with a cybercriminal instead of the site owner. Such a flaw could be exploited in a social engineering attempt to obtain personally identifiable information, credentials, or other information.

A competitor, on the other side, could completely disable the chat service by supplying nothing for the page ID parameter. Worse yet, the competitor could connect a fake page that closely resembles the original one and be intentionally rude or offensive with site visitors. This could lead to reputational damage, loss in customers and revenue.

Recommendation: Update the plugin to version 1.6.

 

As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

 

Sources


Amatas, Cyware, ZDNet, Kaspersky, Malwarebytes, Trend Micro, The Hacker News, Praetorian, Palo Alto Networks, IBM X-Force, Bleeping Computer, Wordfence, Creative Commons