Cyber Round-up

Cyber Round-up for 11th January

Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

  • The Perils of Buying Cheap Software
  • MS Patch Tuesday – Jan 2019
  • The RansomPhish Attack!
  • MongoLock Wiper Malware

The Perils of Buying Cheap Software

Everyone these days seems to be on the lookout for bargains, and the internet has become a great tool for quickly hunting down the best prices for your next big purchase. Cheap illegal software has been available on the internet now for many years, but what about the ultimate bargain for legit licensed software.

This week a KrebsonSecurity report has covered the findings of licensed Microsoft Office Professional software, that is being sold online for an unbelievably low cost of under $4.00 (£3.14). The eBay seller is advertising the instant email delivery of a Microsoft Office 365 subscription for 5 users which typically retails at £79.99 per year.

“Too good to be true” you say, “there must be a catch?” and of course there is. Although the software subscription is legit, the eBay merchant is actually reselling the accounts for existing Office 365 subscriptions. Once the purchase is completed the merchant will email the buyer with someone else’s username and password account details. What’s more, you can never change these details to your own email or password as the account is locked down. At this point if the low cost hasn’t raised a red flag for you, hopefully this will.

Where the security issues really kick in is with the OneDrive file storage included with the subscription. To ensure you have access to your documents from anywhere, Office 365 provides cloud-based file storage called OneDrive, which Office will prompt you to sync and save all your documents to. By doing so, anyone that purchases this subscription and uploads their documents to this OneDrive account, is basically giving the merchant administrator full access to all of their OneDrive documents. And depending on the information contained this could result in a data breach, data theft, fraud or identity theft.

As you can see the low initial cost comes at a very big price. When looking for your next software purchase, always buy from a reputable trusted source, to ensure that you and your information stay safe and secure.

MS Patch Tuesday – Jan 2019

In this month’s Patch Tuesday Microsoft has disclosed a total of 49 vulnerabilities in its products, which includes 7 that are rated Critical and 40 rated Important.

The MS Edge based Chakra scripting engine appears again this month, with 3 critical memory corruption vulns that could allow code to be executed under the context of the current user. This is achieved by getting a user to visit a specially crafted website that manipulates the objects in memory.

Windows Hyper-V, Microsoft’s Virtual Machine hypervisor, includes 2 critical remote code execution vulns. By failing to properly validate input from the guest Operating System, an attacker can run a crafted application on the guest machines to execute code on the host server. This affects Windows 10 and Windows Server operating systems.

The Windows DHCP client responsible for automatically assigning IP addresses to a system, contains a critical code execution vulnerability. This vuln can be exploited by an attacker by sending crafted responses to the DHCP client. This affects Windows 10 and Windows Server operating systems.

The final critical vuln this month exists in the MS Edge browser and how it fails to handle memory objects properly. Like the Chakra vuln above this can be exploited when the user visits a specially crafted website.

Staying up to date with security patches for your operating systems and software, is a critical part of delivering and maintaining a strong security posture, please ensure you test and update as quickly as possible to prevent exploitation and stay secure.

The January Patch Tuesday release notes can be found here while the Security Guidance and CVEs can be found here.

The RansomPhish Attack!

Have you ever come across a RansomPhish attack? No? Well unsurprisingly, before this week neither had we. As you might guess from our poor excuse of a name, the MalwareHunterTeam reported on Wednesday that they had discovered a new variant of Ransomware (believed to be HiddenTear) that not only infects your system and encrypts files but also includes a Paypal Phishing attack in the ransom note.

The ransom note displays the usual warning message that your files have been encrypted and explains that $40 in bitcoin must be paid to get access to your files. A bitcoin wallet ID and a Paypal Buy Now button is included at the end of the note.

Victims who click on the Buy Now button get immediately sent to a Paypal like account screen (no login required) which reports your account access is limited. Your credit card and personal information is then requested to restore your account. Once the victim has handed over all their juicy information to the attacker, they are then told the account is fully restored and they will be redirected to their account.

This is a big double hit for potential victims who not only face the traumatic events of a Ransomware attack but will also need to deal with the identity theft and financial fraud attacks that follow.

Fortunately for the victims of this ransomware there is a free decryption tool available from @demonslay335, so please do not pay the ransom.

With these types of attacks, we recommend the following:

  • Never engage with the attackers and pay the ransom.
  • Never click on links unless you know they are from a trusted source.
  • Have a good backup process in place that allows you to restore your systems and files in the event of a ransomware attack.
  • Always update your systems regularly, with the latest security patches.

MongoLock Wiper Malware

According to a blog by TrendMicro, the MongoLock ransomware that was targeting unprotected MongoDB databases in mid-2018, has a new variant that acts more like wiper malware than ransomware.

Although this new version of MongoLock doesn’t delete the whole contents of the systems hard drive (like traditional wiper malware), upon infection it immediately scans the system and starts to delete important data files instead of encrypting them.

MongoLock scans and deletes files and folders from typical locations such as Documents, Desktop, Recent, and Favourites, while also hunting out any backup volumes and deleting their contents. A ransom note is copied to the infected machine, informing the victim that their files and database have been copied to their secure servers, and by sending the attackers 0.1 Bitcoin you can recover your lost data.

Unfortunately, this is not the case, analysis by the Trend Micro team found that any deleted files were unrecoverable.  As mentioned above, always ensure that your have a robust backup process in place, as you will need it if you want to recover from a MongoLock infection.

For more info the Trend Micro blog can be found here.

And that’s it for this week, please don’t forget to tune in for our next instalment.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe:

You can also follow us using the social media links provided.

If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment:


Ironshare – Security Simplified


Edition #24 – 11th January 2019