Category: Internet

Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.

According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.

“The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,” Avast’s senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what’s now called the Mēris botnet.

The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021.

“The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,” Hron said.

In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain “globalmoby[.]xyz.”

Interesting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.

“When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy),” Hron said. “This is a control panel for the orchestration of enslaved MikroTik routers,” with the page displaying a live counter of devices connected into the botnet.

But after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing completely.

The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.

In light of these attacks, it’s recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router’s administration interface from the public side.

“It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies,” Hron said. “This is done to either anonymize the attacker’s traces or to serve as a DDoS amplification tool.”

Update: Latvian company MikroTik told The Hacker News that the number “was only true before we released the patch in [the] year 2018. After patch was released, the actual affected number of devices is closer to 20,000 units that still run the older software. Also, not all of them are actually controlled by the botnet, many of them have a strict firewall in place, even though running older software.”

When reached out to Avast for comment, the cybersecurity company confirmed that the number of affected devices (~230,000) reflected the status of the botnet prior to its disruption. “However, there are still isolated routers with compromised credentials or staying unpatched on the internet,” the company said in a statement.

(The headline of the article has been corrected to take into account the fact that the number of affected MikroTik routers is no longer more than 200,000 as previously stated.)

Source :
https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html

Increase In Malware Sightings on GoDaddy Managed Hosting

Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

We started seeing an overall increase in infected sites starting on March 11th:

The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:

The decoded version of the backdoor looks like this:

And continued…

Mechanism of Operation

If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-ka[.]ru – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain. For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.

While the C2 domain does have a Russian TLD, we have no indication this attack campaign is politically motivated or related to the Russian invasion of Ukraine. The domain serves up a blank web page, but in 2019 was serving what appears to be adult content, possibly with an affiliate marketing angle.

The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.

A snippet of the encoded spam link-template looks like this:

We have not yet determined the Intrusion Vector for this campaign, but last year, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers.

If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.

If your site is infected you will need to have it cleaned and may also need to remove spam search engine results. We offer instructional resources on how clean your own hacked WordPress website. If you’d like our Incident Response team to clean your site for you, you can sign up for Wordfence Care and we will take care of it for you.

If you know anyone using GoDaddy’s Managed WordPress hosting, we urge you to forward this advisory to them because malicious search engine results can take a long time to recover from, and acting fast can help minimize the damage.

We made contact with GoDaddy security and have offered to share additional information with them. They did not provide a comment in time for publication.

All product and company names mentioned in this post are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Source :
https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/

WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities

Last night, just after 6pm Pacific time, on Thursday  March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues.

The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated.

The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.

Vulnerability Analysis

As with all WordPress core releases containing security fixes, the Wordfence Threat Intelligence team has analyzed the update in detail to ensure our customers remain secure.

We have released two new firewall rules to protect against the vulnerabilities patched in WordPress 5.9.2. These rules have been deployed to Wordfence PremiumWordfence Care, and Wordfence Response users. Wordfence free users will receive these rules after 30 days on April 10, 2022.

Even if you are protected by the Wordfence firewall, we encourage you to update WordPress core on all your sites at your earliest convenience, if they have not already been automatically updated.

Contributor+ Stored Cross Site Scripting Vulnerability

Description: Contributor+ Stored XSS
Affected Versions: WordPress Core 5.9.0-5.9.1
CVE ID: Pending
CVSS Score: 8.0 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 5.9.2
Researcher/s: Ben Bidner

WordPress uses a function called wp_kses to remove malicious scripts from posts, which is called in wp_filter_post_kses whenever post content is saved.

Recent versions of WordPress allow some degree of full site editing, including global styles, which use their own sanitization function wp_filter_global_styles_post.

Unfortunately, however, the wp_filter_global_styles_post function ran after wp_filter_post_kses. Normally this would not be an issue, but wp_filter_global_styles_post performs a second round of JSON decoding on the content it has been passed, which allows for a number of bypasses that would normally be handled by wp_kses.

The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.

This vulnerability does require the attacker to have the ability to edit posts, and as such they would need access to the account of at least a Contributor-level user. An attacker able to successfully exploit this vulnerability could inject malicious JavaScript into a post, which, when previewed by an administrator, would execute. JavaScript running in an administrator’s session can be used to take over a site via several methods including the addition of new malicious administrative users and the injection of backdoors into a website.

Prototype Pollution Vulnerabilities

Description: Prototype Pollution via the Gutenberg wordpress/url package
Affected Versions: WordPress Core < 5.9.2
CVE ID: Pending
CVSS Score: 5.0 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Description: Prototype Pollution in jQuery
Affected Versions: WordPress Core < 5.9.2
CVE ID: CVE-2021-20083
CVSS Score: 5.0 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Prototype pollution vulnerabilities allow attackers to inject key/value “properties” into JavaScript objects and are in many ways similar to PHP Object Injection vulnerabilities. In cases where the webserver is running JavaScript such as with Node.js, this can be used to achieve critical-severity exploits such as Remote Code Execution. WordPress, however, is a PHP application and does not run on Node.js so the impact of these vulnerabilities are limited.

One of these vulnerabilities was present in the Gutenberg wordpress/url package, while a separate but very similar vulnerability was present in jQuery, which was patched separately and updated to jQuery 2.2.3.

We are not aware of any practical exploits at this time, but any such exploits targeting WordPress would require user interaction, such as an attacker tricking a victim into clicking a link, similar to reflected Cross-Site Scripting(XSS).

An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed. Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule designed to block exploit attempts against these vulnerabilities.

Conclusion

In today’s article, we covered the 3 vulnerabilities patched in the WordPress 5.9.2 security release. Most actively used WordPress sites should have already been patched via automatic updates. The Wordfence firewall also provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

Help secure the WordPress community by sharing this information with WordPress site owners in your circle.

Source :
https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities/

Ransomware is Everywhere

Of all the products and services you use each day, how many have been impacted by ransomware? SonicWall takes an in-depth look.

There’s no question that ransomware is on the rise. In the 2022 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers reported 623.3 million ransomware attacks globally, a 105% year-over-year increase. And many industries saw triple- and even quadruple-digit spikes, such as government (+1,885%), healthcare (+755%) and education (+152%).

If your organization hasn’t yet dealt with an attack like this, however, it’s easy to see ransomware as an unusual and far-off problem. While this may have been true 10 years ago, today ransomware touches every facet of our lives.

To illustrate both the pervasiveness of ransomware, as well as its ability to disrupt the lives of an average person, we’ve constructed an average day that any business traveler might experience:

At 7 a.m., the alarm on your Apple iPhone jolts you awake to start another day. You suds up with some Avon body wash, pull on your Guess slacks and a Boggi Milano blazer, and grab your Kenneth Cole briefcase before heading out the door.

Once inside your Honda Passport, you tune in to your favorite sports podcast, where they’re recapping last night’s San Francisco 49ers game. You become so immersed in the discussion you almost forget to stop for fuel — you grab a Coke while you’re there, just in case you’re waiting a while for your flight.

Once you get to the airport, you check in, then look for a quiet place to get some work done. Fortunately, at this point the lounge is deserted. You dig out your Bose earbuds and stream some Radiohead from your laptop while you wait for boarding.

Your flight is uneventful, and the crowds at Hartsfield-Jackson International are almost as sparse as the ones at Cleveland Hopkins International. But unfortunately, you’re completely famished by this point. There’s a McDonalds on Concourse A, and you order a cheeseburger.

The evening is young and you consider going out, but it’s been a long day. On your way to check in at the Ritz Carlton, you decide to stop at a Barnes and Noble. You grab a graphic novel and treat yourself to a box of SweeTarts to enjoy during your quiet night in.

According to the cable listings, there’s an NBA game on TV, but it doesn’t start until 9 p.m. — giving you a few minutes to log in to Kronos and get a head start on expense reports. With a full day of meetings ahead of you, you enjoy a hot shower, pull on your pajamas and slippers, and head off to bed.

While the number of organizations affected by ransomware grows every day, yours doesn’t have to be one of them. Part of avoiding ransomware is knowing how ransomware groups operate, what industries they target and where they’re likely to hit next. For a comprehensive look at SonicWall’s exclusive ransomware data for the past year, download the 2022 SonicWall Cyber Threat Report.

Source :
https://blog.sonicwall.com/en-us/2022/03/ransomware-is-everywhere/

Business Email Compromise BEC Attacks: Inside a $26 Billion Scam

A new Osterman Research study explores why Business Email Compromise (BEC) attacks are more financially devastating than ransomware — and how they can be stopped.

Why would cybercriminals employ obfuscation tools, launch multi-stage cyberattacks, encrypt endpoints and haggle over ransom amounts … when they could just ask for the money? This is the concept behind Business Email Compromise (BEC) attacks — a type of cyberattack that has grown dramatically over the past few years.

The U.S. federal government’s Internet Complaint Center (IC3), which has been tracking these attacks since 2013, has dubbed BEC attacks the “$26 billion scam” — though this moniker is likely out of date due to escalating attack volumes and increased reliance on email throughout the pandemic.

And though high-profile ransomware attacks continue to dominate headlines, far more money is lost to BEC attacks. For example, in 2020, BEC attacks accounted for $1.8 billion in the U.S. alone, and an estimated 40% of cybercrime losses globally.

The Anatomy of a BEC Attack

While they’re considered a type of phishing attack, BEC attacks don’t rely on malicious code or links. Instead, they let social engineering do the heavy lifting. These attacks specifically target organizations that perform legitimate transfer-of-funds requests, and almost exclusively appeal to seniority to secure compliance.

According to the Osterman white paper sponsored by SonicWall, “How to Deal with Business Email Compromise,” BEC threat actors create email addresses that mimic those used by senior executives, use free services such as Gmail to create email addresses that appear to be an executive’s personal account, or, less commonly, gain access to executives’ actual corporate email accounts using phishing attacks or other means.

Image describing phishing

Above is a BEC email I’ve received. Note the appeal to authority — the message appears to come from SonicWall’s CEO, despite originating from an outside address — as well as the sense of urgency throughout. This is a rather clunky example; many of these emails are much more sophisticated in both language and execution.

Once the attacker has a plausible email account from which to operate, they use social engineering tactics to request the target either divert payment on a valid invoice to the criminal’s bank account, solicit payment via fake invoice or divert company payroll to a fraudulent bank account.

Since these attacks appeal to a sense of urgency and appear to come from a CEO, CFO or someone else in charge, many targets are eager to comply with the requests as quickly as possible. Once they do, the company is out a large sum of money, and the cybercriminal celebrates another payday.

How Common are BEC attacks?

BEC attacks have been recorded in every state in the U.S., as well as 177 countries around the world. Based on the latest report from IC3, nearly 20,000 of these attacks were reported in 2020 alone — likely an undercount, given that Osterman’s research found that four out of five organizations were targeted by at least one BEC attack in 2021. For mid-sized businesses (those with 500-2,500 email users), that number rose to nine out of 10.

Worse, almost 60% of the organizations surveyed reported being the victims of a successful or almost successful BEC attack. For those who were successfully targeted, the costs were significant: a combination of direct costs and indirect costs brought the total financial impact of a successful BEC incident to $114,762. Unfortunately, the direct costs, while significant for an individual organization, are often too small to trigger help from law enforcement agencies and insurance companies.

BEC Attacks Can Be Stopped (But Probably Not in the Way You Think.)

Many other attacks rely on malicious links and code, which can be spotted by anti-malware solutions and secure email gateways. But the sort of social engineering tactics used in BEC attacks — particularly those from a legitimate email address — often cannot be caught by these solutions.

Even so, while three-quarters of respondents say that protecting against these attacks is important to them, many are still depending primarily on technologies that were never designed to stop BEC attacks.

There’s not a lot you can do to prevent being among the 80% (and growing) of companies targeted by BEC attacks each year, but there’s plenty of other things you can do to safeguard your organization’s finances. But they all fall under three primary pillars: People, Process and Technology.

Technology is your first line of defense against BEC attacks. Many solutions claim the ability to combat BEC attacks, but their effectiveness varies widely. For best protection, look for one that will both block BEC attacks and guide employees.

Notice in the example above how there’s an alert warning that the email originated from outside the organization? While simple, these sorts of alerts can make the difference between a BEC attempt that’s ultimately successful, and one that’s scrutinized and deleted upon receipt.

Particularly in companies that are still relying on traditional technology protections, employee training an indispensable backup protection. Employees should be coached to look for spoofed email addresses, uncharacteristic grammar and syntax, and an unusual sense of urgency.

In the case of particularly sophisticated attempts, processes should be in place in case a BEC attempt makes it into the inbox and isn’t identified by the recipient as suspect. Policies such as a multi-person review of requests to change bank account details or mandated out-of-band confirmations are often successful as a last line of defense against BEC.

Source :
https://blog.sonicwall.com/en-us/2022/03/bec-attacks-inside-a-26-billion-scam/

Samsung Confirms Data Breach After Hackers Leak Galaxy Source Code

Samsung on Monday confirmed a security breach that resulted in the exposure of internal company data, including the source code related to its Galaxy smartphones.

“According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees,” the electronics giant told Bloomberg.

The South Korean chaebol also confirmed that it doesn’t anticipate any impact to its business or its customers as a result of the incident and that it has implemented new security measures to prevent such breaches in the future.

The confirmation comes after the LAPSUS$ hacking group dumped 190GB of Samsung data on its Telegram channel towards the end of last week, allegedly exposing the source code for trusted applets installed within TrustZone, algorithms for biometric authentication, bootloaders for recent devices, and even confidential data from its chip supplier Qualcomm.

The news of the leak was first reported by Bleeping Computer on March 4, 2022.

If the name LAPSUS$ rings familiar, it’s the same extortionist gang that made away with a 1TB trove of proprietary data from NVIDIA last month, namely employee credentials, schematics, driver source code, and information pertaining to the latest graphics chips.

Samsung Galaxy Source Code

The group, which first emerged in late December 2021, also placed an unusual demand urging the company to open-source its GPU drivers forever and remove its Ethereum cryptocurrency mining cap from all NVIDIA 30-series GPUs to prevent more leaks.

It’s not immediately clear if LAPSUS$ has made any similar demands to Samsung before publishing the information.

The fallout from the NVIDIA leaks has also led to the release of “over 70,000 employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.”

That’s not all. Two code-signing certificates included in cache dump from NVIDIA have been used to sign malicious Windows drivers and other tools often used by hacking crews, namely Cobalt Strike beacons, Mimikatz, and other remote access trojans.

“Threat actors started on 1st March, a day after torrent [was] posted,” security researcher Kevin Beaumont said in a tweet last week.

Source :
https://thehackernews.com/2022/03/samsung-confirms-data-breach-after.html

Google Buys Cybersecurity Firm Mandiant for $5.4 Billion

Google is officially buying threat intelligence and incident response company Mandiant in an all-cash deal approximately valued at $5.4 billion, the two technology firms announced Tuesday.

Mandiant is expected to be folded into Google Cloud upon the closure of the acquisition, which is slated to happen later this year, adding to the latter’s growing portfolio of security offerings such as BeyondCorp EnterpriseVirusTotalChronicle, and the Cybersecurity Action Team.

“Today, organizations are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative,” Google said in a statement.

“To address these risks, enterprises need to be able to detect and respond to adversaries quickly; analyze and automate threat intelligence to scale threat detection across organizations; orchestrate and automate remediation; validate their protection against known threats; and visualize their IT environment in order to identify and simulate new threats.”

Mandiant became a standalone entity again in June 2021 when FireEye, which acquired the company in 2013, sold its products business and the FireEye brand for $1.2 billion to a consortium led by private-equity firm Symphony Technology Group.

Symphony, which also acquired McAfee Enterprise for $4 billion in March 2021, combined the two businesses to launch Trellix earlier this year.

The cybersecurity firm is best known for uncovering and investigating the supply chain compromise of SolarWinds, a devastating cyber attack that affected thousands of its downstream customers and went unnoticed for months until its discovery in December 2020.

“The acquisition will complement Google Cloud’s existing strengths in security,” Mandiant said, stating the deal will “deliver an end-to-end security operations suite with even greater capabilities as well as advisory services helping customers address critical security challenges and stay protected at every stage of the security lifecycle.”

Source :
https://thehackernews.com/2022/03/google-buys-cybersecurity-firm-mandiant.html

Top Mac Malware and Security Vulnerabilities

It is commonly believed that Macs are immune to viruses. However, although they are less vulnerable than Windows computers, the reality is that MacBooks, iMacs, and Mac minis are still susceptible to malware and other security vulnerabilities — and there are some worrying ones out there, too.

Below are the top 5 macOS malware programs, security flaws, and vulnerabilities that you need to be aware of!

Silver Sparrow

Disclosed by Red Canary researchers, Silver Sparrow is a unique macOS malware program that was created to target Apple’s new M1 processors.

Silver Sparrow is a PUA (potentially unwanted application) that can serve as a delivery mechanism for malware. Once your device is infected it will contact a server every hour. It is still currently unknown how much of a threat Silver Sparrow truly poses, but in theory, it could act as a catalyst for significant attacks.

Apple quickly released an update to macOS that stopped Silver Sparrow from being able to be installed. Therefore, if you have a fully updated version of macOS, you are safe from Silver Sparrow.

XLoader

It was all but guaranteed that one of the most common pieces of Windows malware would make its way to macOS. Initially reported by Check Point security researchers in July 2021, it was confirmed that a Mac version of the XLoader malware had actually been around for some time.

XLoader is a new variant of the infamous Formbook, a program used to steal login credentials, record keystrokes, and download and execute files.

Once a device is infected with XLoader, it transfers a hidden application bundle containing a copy of itself to the user’s home folder, and what is particularly dangerous about it is the fact that it can run completely undetected by macOS.

XCSSET

Initially reported by Trend Micro in August 2020, XCSSET primarily targets macOS users in Asia. Many experts believe that XCSSET mainly targets Chinese gambling sites and their users.

XCSSET replaces users’ web browser icons with fake versions that launch malware whenever opened. XCSSET can bypass macOS’s privacy protections by hijacking the privileges of legitimate apps, allowing it to take screen captures.

XCSSET seeks to access information via the Safari browser, including login details for various Apple, Google, PayPal, and Yandex services. Other types of information it can collect include notes and messages sent via Skype, Telegram, QQ, and WeChat.

macOS Big Sur IOMobileFrameBuffer

This vulnerability can allow attackers to take over an affected system. It is a critical memory corruption issue found in internal component extensions in macOS. This security flaw allows the installation of malicious applications and enables them to execute commands with system administrator privileges — bypassing macOS’s built-in security measures.

The issue was addressed immediately by Apple, with a fix released in the macOS Big Sur 11.5.1 July 26, 2021 update.

Log4Shell

Log4Shell is a vulnerability in the widely used Java library Apache Log4j — software used by an innumerable number of large companies including Google, Apple, Netflix, Twitter, and many more. It enables attackers to perform remote code execution and gain control over affected servers.

Log4j is an open-source logging tool used by a huge number of websites and apps. Because it is so widely used, the number of services at risk of exploitation is incredibly concerning.

Although macOS is not directly affected by Log4Shell, according to security researchers, the vulnerability has been found to affect Apple’s iCloud platform. Luckily, Apple was quick to patch the vulnerability — releasing a fix shortly after it was discovered.

It was estimated that around 850,000 attacks were attempted within just 72 hours of the initial outbreak. It is not clear if Apple’s iCloud was among the services targeted.

Apache has already released an update fixing the vulnerability, although because of Log4j’s widespread worldwide use, the prospect of all the apps that use it receiving the fix is simply not realistic.

However, even if you use one of the compromised apps, your Mac will not be at risk. When exploited, the bug affects the server running Log4j, not the computer itself. Although in theory the exploit could be used to plant a malicious app on a server that then affects connected machines.

Stay protected at all times

Malware creators will always seek out undiscovered vulnerabilities that they can exploit, and Macs are certainly not immune. Fortunately, security researchers are often exceptionally quick at discovering these vulnerabilities, and fixes are almost always released timely.

However, it is best practice to always use a trusted antivirus app to ensure you are as protected as possible against all types of threats.

Trend Micro’s Antivirus One — the best option for complete peace of mind

Antivirus One can protect your Mac from viruses, malware, and adware, block potential web threats and safeguard against vulnerabilities.

Some key features include:

  • Fast Thorough Scans — Scan your Mac for hidden threats in less than a minute.
  • Web Threat Protection — Avoid online fraud, malicious software embedded in websites, and other threats lurking on the web.
  • Data Privacy Sweeps — Clear personal information out of Safari, Google Chrome, and Mozilla Firefox before it leaks online.

    Source :
    https://news.trendmicro.com/2022/02/21/top-mac-malware-and-security-vulnerabilities/

Microsoft Teams is the new frontier for phishing attacks

Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.

One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.

“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said Armen Najarian, chief identity officer at anti-fraud technology firm Outseer.

Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.

However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.

Sophisticated Teams attacks

Patrick Harr, CEO of phishing protection vendor SlashNext, told VentureBeat that a highly sophisticated phishing attack recently struck a customer on Microsoft Teams.

It happened, Harr said, while the CEO of the customer company was traveling to China. Posing as the CEO, an attacker sent a WhatsApp message to several of the company’s employees, asking them to join a Teams meeting.

Once in the meeting, the employees saw a video feed of the CEO, which they didn’t realize had been scraped from a past TV interview. As part of the trick, the attackers had added a fake background to the video to make it appear the CEO was in China, Harr said.

But since there was no audio, the “CEO” said that there “must be a bad connection” — and then dropped a SharePoint link into the chat.

Posing as the CEO, the attacker told the employees that “‘since I can’t can’t make this work, send me the information on this SharePoint link,’” Harr said.

An employee did end up clicking on the malicious SharePoint link — but they were blocked from accessing the page.

Ultimately, the incident demonstrates that “these bad actors are nesting themselves in legitimate services,” Harr said. “They’re getting very creative. They’re staying ahead of the curve.”

A big target

Microsoft Teams is massively widespread in the enterprise, with 270 million monthly active users, and that’s led attackers to take notice.

Threat actors have spotted a few of other things about Teams, too: If you can acquire an account’s Microsoft Office 365 password, that can potentially get you into Teams as well. And while more workers may be savvy about email phishing techniques at this point, they’re less likely to be suspicious about a Teams message, according to researchers.

Attackers are seizing the opportunity: In January, email security platform Avanan saw thousands of attacks involving malware dropped into Teams conversations, researchers at the Check Point-owned organization reported.

By attaching a malicious executable file in a Microsoft Teams conversation, “hackers have found a new way to easily target millions of users,” the Avanan researchers wrote in a blog post. When clicked, the .exe file installs a Trojan on a user’s Windows PC, and the Trojan then installs malware.

The attacks are having success because with Microsoft Teams, unlike with email, “end-users have an inherent trust of the platform,” the researchers wrote.

Ultimately, the incidents reported by Avanan show that “hackers are beginning to understand and better utilize Teams as a potential attack vector,” the researchers said.

In other words, as they are known to do, cyberattackers are evolving once again.

‘The new BEC’

Referring to the Microsoft Teams attacks cited by Avanan, “this is the new business email compromise / legitimate service abuse,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in a tweet. “It follows the trend we’ve seen with Slack and Discord.”

Business email compromise (BEC) describes a type of phishing attack in which an attacker targets a certain individual in a company, and attempts to persuade the individual to perform a wire transfer of funds to their account.

BEC attacks “are not losing their effectiveness,” Gallagher said in an email to VentureBeat. Indeed, 77% of organizations faced business email compromise attacks last year, up from 65% in 2020, according to Proofpoint data.

But with the arrival of BEC-like attacks on collaboration platforms such as Microsoft Teams, “malicious actors are expanding their attack surface and finding new ways to get a foothold into organizations,” Gallagher said.

“As more businesses move toward the cloud and software-as-a-service [SaaS] models, legitimate hosted services – like Microsoft Teams and Slack – will be an attractive avenue for attackers,” Gallagher said.

Najarian agreed that BEC attacks “are still very effective for criminal hacker groups.”

“But expanding their tactics into Microsoft Teams, Slack, Discord and other chat apps presents another revenue driver for them,” Najarian said in an email.

Combining tactics

Notably, the types of Microsoft Teams attacks reported by SlashNext and Avanan involve a combination of social engineering and credential harvesting.

“If malicious actors secure credentials and can access a Microsoft 365 environment in the cloud, they can act as a trusted team member,” Gallagher said. “As such, victims assume the files and links shared in the legitimate service are trusted, since they do not display the tell-tale signs of a malicious URL once uploaded or shared in the trusted environment.”

Adversaries can “get into all sorts of places in the enterprise that they otherwise wouldn’t be able to access without compromising the network,” he said.

All in all, legitimate service abuse is an emerging vector for malicious actors to target the enterprise, he said — and it will only continue to grow “as the enterprise becomes more detached from traditional infrastructure.”

Source :
https://venturebeat.com/2022/02/23/microsoft-teams-is-the-new-frontier-for-phishing-attacks/

Microsoft rolling out new endpoint security solution for SMBs

Microsoft says its new endpoint security solution for small and medium-sized businesses (SMBs) known as Microsoft Defender for Business has hit general availability.

It has started rolling out to new and existing Microsoft 365 Business Premium customers worldwide starting today, March 1st.

Microsoft Defender for Business helps companies with up to 300 employees defend against cybersecurity threats, including malware, phishing, and ransomware in environments with Windows, macOS, iOS, and Android devices.

It comes with simplified client configuration via a wizard-driven setup, and it enables all recommended security policies out-of-the-box, making it easy to use even by organizations without dedicated security teams.

In November, Microsoft announced this new security solution at Microsoft Ignite 2021 in response to a 300% increase in ransomware attacks in the previous year, with more than 50% of them directly affecting SMBs, according to US Secretary of Homeland Security Alejandro Mayorkas.

Defender for Business began rolling out in preview worldwide in December when Microsoft also announced that it would be available as a standalone license directly from Microsoft and Microsoft Partner Cloud Solution Provider (CSP) channels at $3 per user per month.https://www.youtube.com/embed/umhUNzMqZto

Key features bundled with the Microsoft Defender for Business security suite include:

  • Simplified deployment and management for IT administrators who may not have the expertise to address today’s evolving threat landscape.
  • Next-generation antivirus protection and endpoint detection and response to detect and respond to sophisticated attacks with behavioral monitoring.
  • Automated investigation and remediation to help customers react quickly to threats.
  • Threat and vulnerability management proactively alerts users to weaknesses and misconfigurations in software.
  • Microsoft 365 Lighthouse integration with Microsoft Defender for Business for IT service providers to view security events across customers, with additional capabilities coming.

You can get Defender for Business as part of Microsoft 365 Business Premium and will not require onboarding or offboarding devices from Microsoft Defender for Endpoint P1 or P2.

“Defender for Business will be rolled out to existing Microsoft 365 Business Premium customers in the next few weeks. There is no action or additional transactions required and it will show up in the Microsoft 365 Defender portal under the section, Endpoints,” Microsoft said.

“Defender for Business will also be offered as a standalone solution and will be coming later this year. You can continue to preview the standalone solution by signing up at https://aka.ms/MDB-Preview.”

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-rolling-out-new-endpoint-security-solution-for-smbs/