Cyber Round-up for 10th June
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Verizon is the latest company to be at the mercy of hackers. According to an interaction between the undisclosed hacker and a journalist called Lorenzo Franceschi-Bicchierai, the hacker used social engineering techniques to impersonate an internal support engineer and persuade an employee to allow remote access to their corporate device. With this access, the hacker used an internal corporate tool to scrape data from the employee database using a script. The stolen information contained the full name, email address, corporate ID number, and phone number of hundreds of Verizon staff members. The hacker has put forward a ransom of $250,000 to Verizon to not publicly leak the information stolen. A Verizon spokesperson has said “A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further. As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”
Microsoft recently reported that it has seized 41 domains that were being used as command-and-control servers for an advanced spear-phishing operation. The operation was led by an Iranian threat actor labelled as Bohrium, and saw fake social media profiles, mostly portraying recruiters, being used to harvest personal data. An email was then sent to the victim containing malicious emails to download malware onto the victim’s device.
The cyber security company Mandiant has investigated claims reported by the LockBit ransomware gang that they breached Mandiant’s’ network and stole data. LockBit has threatened that it will leak all the 356,841 stolen files online. Mandiant has said that it “is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.”
Since initial reports, it has become clear that LockBit have not breached Mandiant at all, and instead were using this as a campaign to distance themselves from the Evil Corp group, who Mandiant had recently reported had moved to LockBit’s Ransomware as a service to avoid sanctions imposed by the US.
By Bleeping Computer.com
Black Basta, a new ransomware group first seen in April has been witnessed using the Qbot trojan. Qbot was first seen infecting systems 14 years ago and is capable of keylogging, exfiltrating cookies, and lifting online banking details and other credentials. Qbot has evolved since 2008 to detection-evasion and context-aware delivery tactics, as well as phishing capabilities that include e-mail hijacking, among others. “The seriousness and efficiency of the collaboration cannot be underestimated” Garret Grajek, CEO of security firm YouAttest said. The way Black Basta is leveraging Qbot is unique and seems to be an effective way of stealing information from companies.
Apple has reported that it protected millions of its app store users from being defrauded, with calculations estimating $1.5 billion. Over 1.6 million apps and updates were ceased by Apple’s fraud prevention analysis that was deemed as untrustworthy or risky. Both Apple’s and Google’s app stores have seen many apps attempting to swindle money through subscriptions as well as hiding features or adding additional features into apps after launch that would breach guidelines.
A newly seen variant of Emotet has been reported, the new variant contains a module used to steal bank card information from Google Chrome. The new variant can also exfiltrate data to multiple command-and-control servers. The new variant will still allow for self-propagation and as a loader to download more malware onto a system. Emotet is mainly delivered via email campaigns designed to make the user install the malware from the malicious email.
Vulnerabilities & Updates
Follina – A zero-day vulnerability has been recently discovered in Microsoft Word. A specially crafted word document can use the Word remote template feature allowing for the retrieval of an HTML file from a remote web server using MSDT (Microsoft Support Diagnostic Tool). This file can be manipulated to allow bespoke code to run, resulting in a remote code execution attack. The worrying aspect about this exploit is that the victim only needs the preview pane open in the file explorer for the remote code execution to occur, even the protected view when the document is open is vulnerable. Kevin Beaumont’s blog DoublePulsar.com contains more details about this threat. He has also made a custom detection rule query for Defender for Endpoint which is available via GitHub.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #192 – 10th June 2022
Why not follow us on social media:
Ironshare – Security Simplified