Security News

09d59bd1-7606-4f37-8df9-0c9432312fbc.png

US Cybersecurity Agency Issues Emotet Warning

US Cybersecurity Agency Issues Emotet Warning

US Cybersecurity Agency Issues Emotet Warning 1

America’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet.

Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim’s computer. This sophisticated strain of malware was developed by threat group TA542. 

CISA said: “Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information.”

The agency warned that such an attack could result in the loss of money and of proprietary information as well as cause “disruption to operations and harm to reputation.”

CISA advised users and system administrators to block email attachments such as .dll and .exe, which are commonly associated with malware, and to block any email attachments that cannot be scanned by antivirus software.

Further protection measures suggested by CISA are to implement firewalls, an antivirus program, and a formalized patch management process.

To stop a virus from running rampant around your network, CISA recommended segmenting and segregating networks and functions. 

The warning comes a week after cybersecurity firm Proofpoint announced that Emotet was back and causing trouble with a new campaign after taking what appeared to be a Christmas break. Researchers spotted Emotet going after targets in the pharmaceutical industry in the US, Canada, and Mexico on January 13. 

By Tuesday, the attackers had widened their net to go after victims in multiple industries in Australia, Austria, Germany, Hong Kong, Italy, Japan, Singapore, South Korea, Spain, Switzerland, Taiwan, and the United Arab Emirates. 

“Based on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s return seriously,” wrote researchers. “On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total.”

This mass of messages, although large, isn’t the highest volume the researchers have ever seen from the TA542 group. Previously, researchers have seen the threat actors send over one million messages in just one day.

2be33c59-992c-4ac1-a85d-80947b2c46f1.jpg

US County Suffers Two Cyber-attacks in Three Weeks

US County Suffers Two Cyber-attacks in Three Weeks

US County Suffers Two Cyber-attacks in Three Weeks 2

Albany County in the state of New York has been struck by two separate cyber-attacks in three weeks. 

A five-figure ransom in Bitcoin was paid by Albany County Airport Authority (ACAA) earlier this month after their servers became infected with ransomware on Christmas day.

Airport CEO Philip Calderone said that the authority caught the virus from a company called LogicalNet, which, rather ironically, ACAA had hired to provide cybersecurity services. The attack came to light after LogicalNet reported that its management services network had been breached. 

Calderone told Times Union: “We have severed our relationship with LogicalNet.” 

According to Times Union, while the airport’s insurer reimbursed the authority for the rest of the undisclosed ransom payment, the airport authority is seeking to recover the $25,000 deductible it paid on its insurance policy from LogicalNet. 

Three weeks later, on January 15, the Albany County town of Colonie was hit by a cyber-attack that took the town’s computer system and email offline. Many departments were still experiencing problems on Friday.

Town spokesperson Sara Wiest said on Friday that the town was still trying to determine the exact nature of the attack. Wiest added that all the town’s data had been backed up prior to the incident, allowing many departments to continue working despite not having access to the computer system.

In a forced return to last century’s communication methods, the town sent out a news release regarding the cyber-attack via fax on Friday morning.

The release stated that there was no indication that any personal data had been compromised and reassured the public that the town’s health and safety services were still functioning. 

“These types of situations happen in a lot of different places and municipalities and they appear to be similar,” said Colonie town supervisor Paula Mahan. “It’s happening in a lot of places and it’s something we have to get used to.”

In March 2019, the City of Albany spent $300,000 in new servers, security software upgrades, firewall insurance, and other cybersecurity improvements after being hit by a ransomware attack. Fortunately, the city was able to fall back on its daily backups of mission-critical systems, and no ransom was paid.  

21d00076-86c2-4915-8933-4ae4467020d7.png

Over Half of Organizations Were Successfully Phished in 2019

Over Half of Organizations Were Successfully Phished in 2019

Over Half of Organizations Were Successfully Phished in 2019 3

An annual report into the virulence of phishing scams has found that more than half of organizations dealt with at least one successful phishing attack in 2019. 

The 2020 “State of the Phish” report, by cybersecurity and compliance firm Proofpoint, was produced using data from nearly 50 million simulated phishing attacks sent by Proofpoint to end users over a one-year period. In addition, researchers combed through third-party survey responses from more than 600 information security professionals and analyzed the fundamental cybersecurity knowledge of more than 3,500 working adults in the US, Australia, France, Germany, Japan, Spain, and the UK.

Among the key findings, 55 percent of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods.

Other forms of attack reflect cyber-criminals’ continued focus on compromising individual end users. Spear-phishing attacks were reported by 88 percent of organizations worldwide, while 86 percent reported business email compromise (BEC) attacks and social media attacks. 

Phishing via text/SMS, also known as smishing, struck 84 percent of organizations, while 83 percent reported experiencing voice phishing, or “vishing.” Malicious USB drops had caused problems for 81 percent of organizations surveyed. 

On a more positive note, the sixth annual “State of the Phish” report revealed that equipping individuals with instructions on how to avoid taking the phishers’ bait garnered good results. Seventy-eight percent of organizations reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.

“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint. 

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”

Proofpoint researchers noted an increase in the volume of reported phishing messages and identified a trend toward more targeted, personalized attacks carried out over bulk campaigns.

The volume of reported messages jumped significantly year on year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67 percent over 2018.

cd1a00d4-cb30-4591-88ad-1cd6baac4a91.jpg

Over 2000 WordPress Sites Hit by Malicious Redirects

Over 2000 WordPress Sites Hit by Malicious Redirects

Over 2000 WordPress Sites Hit by Malicious Redirects 4

Thousands of WordPress sites have been infected with malicious JavaScript in an attempt to promote scam websites, according to Sucuri.

The number of infections spiked last week, with hackers exploiting vulnerabilities in various plugins, including Simple Fields and the CP Contact Form with PayPal, the security vendor explained in a blog post.

After exploitation, the hackers are able to inject JavaScript which begins a series of redirects to a fraudulent “survey-for-gifts” website, where users are tricked into handing over personal info and unwittingly installing malware.

Among the domains registered as part of the campaign are gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com and admarketresearch[.]xyz.

“Unfortunately for website owners, this malicious JavaScript payload is capable of making further modifications to existing WordPress theme files via the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as a PHP backdoors and hacktools, to other theme files so they can continue to maintain unauthorized access to the infected website,” Sucuri explained.

“We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.”

The attackers have also been observed abusing/wp-admin/ features to create fake plugin directories that contain more malware, for example by uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to upload and unzip a compressed fake plugin into /wp-content/plugins/.

The two most common fake plugin directories spotted by Sucuri are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.

The firm has seen over 2000 infected sites thus far compromised in this campaign.

WordPress is by far the biggest culprit when it comes to hacked website platforms. It accounted for 90% of compromised websites spotted by Sucuri in 2018, up from 83% in 2018. There was a big drop to Magento (4.6%) and Joomla (4.3%) in second and third.

56472f17-3293-4fca-ad27-f7dcda8af56c.jpg

Data on 30,000 Cannabis Users Exposed in Cloud Leak

Data on 30,000 Cannabis Users Exposed in Cloud Leak

Data on 30,000 Cannabis Users Exposed in Cloud Leak 5

Tens of thousands of cannabis users in the US have had their personal information leaked by a misconfigured cloud bucket, according to researchers.

Over 85,000 files including more than 30,000 records with sensitive personally identifiable information (PII) were exposed when software firm THSuite apparently left an Amazon Web Services (AWS) S3 bucket unsecured.

THSuite provides software that helps cannabis dispensaries collect the large volumes of sensitive user info they need to comply with state laws.

At least three clients were affected in the privacy snafu: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company.

Exposed PII included names, home and email addresses, dates of birth, phone numbers, medical ID numbers and much more, according to vpnMentor.

As such, the leak affected both medical cannabis users and those who bought the plant for recreational purposes.

“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally,” the researchers argued.

“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual.”

The revelations may also harm recreational users, especially if their employer prohibits cannabis use, they continued. The database apparently included scanned copies of government and employee IDs.

From a cybercrime perspective, the data trove would also offer a potentially lucrative opportunity for hackers to craft convincing phishing emails, texts and calls, and launch follow-on identity fraud attempts.

The researchers found the exposed database via a simple scan on December 24 last year. After contacting its owners on December 26 the problem was finally mitigated on January 14 2020.

Cloud misconfigurations like this remain a major source of cyber-related risk for organizations around the world. VpnMentor alone has been able to find millions of user records leaked by the likes of cosmetic giant Yves Rocher, Best Western Hotels and Canadian telco Freedom Mobile.

Vox Messenger Logo - 512x512

End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.

Vox Messenger is an ad-free, secure and end-2-end encrypted alternative to other popular chat messenger apps.

Available for Free. Whitelabel Corporate Edition Available on Request.

All Rights Reserved - © Copyright 2020 - Vox Messenger (a Division of Kryotech Ltd.)