Cyber Round-up for 22nd March
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
- Instagram Accounts Compromised in Copyright Scam
- The Emotet Threat Keeps Rolling On!
- Microsoft Dominates Most Exploited List in 2018
- Ransomware or Wiper? LockerGoga Straddles the Line
Instagram Accounts Compromised in Copyright Scam
The Kaspersky Labs news blog has highlighted a new phishing scam that it is targeting highly popular Instagram accounts.
Attackers have launched a phishing campaign that is sending Copyright Infringement emails to users, in an attempt to get them to hand over their account login details, so they can take over their accounts.
The content of the email is pretty convincing, although anyone checking the links etc. will be able to identify that it is indeed fake.
The message contained in the email tries to scare the victim, by claiming that due to violating copyright laws, their account is being disabled and that they have 24 hours before the account is deleted.
Clicking the link in the email redirects the user to an Instagram phishing site, that pretends to give the option of Appealing the decision.
If you decide to appeal and click the link, the site then asks to verify your Instagram account by logging in with your credentials, which is where the fraudsters capture and steal your username and password.
After losing your credentials, they seal the deal by giving you a nice message before redirecting you to the real Instagram page.
Social media account hacks are common place in cyber crime and misinformation campaigns that deliver fake news.
Being aware of these types of attacks will help you to spot malicious emails and protect both yourself and your personal data.
Awareness alone is not enough though, remember:
- Never click on suspicious links.
- Look out for any mistakes in spelling and grammar, both in the links and email content.
- Always check that the URL in the browsers address bar to verify where you are being sent.
- Enable Two Factor Authentication / Two-Step Verification on your accounts where available.
- If in doubt delete the email, and never enter personal information unless you are sure.
The Emotet Threat Keeps Rolling On!
Back in 2014, security researchers came across a new threat in the wild they dubbed Emotet.
Emotet started out its life as a banking trojan, that infected target machines with a goal of silently stealing sensitive personal and financial information from its victims.
Almost five years on from this initial find, Emotet has become one of the most active, costly and destructive malware families in the world today.
Emotet is known as a ‘Trojan Virus’, and like the Trojan Horse in Greek history, it appears to be one thing on the surface while inside it’s something very different. The trojans job is to first infect a target system by evading its security defences, before unleashing the more malicious hidden payload it is carrying inside.
One of the attractions for cyber criminals is its polymorphic behaviour, that gives Emotet the ability to change itself every time a version of the malware is downloaded. This is one of its methods that is used to evade detection by signature based Anti-Virus and Intrusion Prevention products.
Today, Emotet has evolved into far more than just a standard banking trojan.
Recorded Future has this week released its annual report on the Top 10 vulnerabilities of 2018.
The report highlights that for the second year in a row, Microsoft have come out on top, as the most exploited software, with Office and Internet Exploder, (oops, Explorer), appearing in 8 of the top 10 vulnerabilities listed.
Recorded Future’s analysis focused on exploit kits, phishing attacks, or remote access trojans that coincide with a vulnerability, and occurred between 1 January 2018 and 31 December 2018. Their analysis was based on thousands of sources, including code repositories, deep web forum postings, and dark web sites.
The remaining 2 spots were taken by Adobe Flash Player, in the form of exploit kits and ransomware, and Google’s Android OS, targeted by the remote access trojan AndroRAT.
One vulnerability CVE-2016-0189, has made the list for three years in a row. This vuln exists in Internet Explorer versions 9 to 11 and has been targeted by numerous exploit kits during that time. The reason for its persistent presence is due to a lack of full mitigation, and although there have been security updates from Microsoft related to this CVE, the only workaround appears to be controlling access to the Jscript and Vbscript DLL files.
What this report really highlights is that there are still too many devices out there that are not being kept up to date with the latest security patches. It’s not just operating systems (like MS Windows) that require regular security updates; applications, network devices and IOT devices should also form part of any regular patching activities.
If you’re a home user the best option is to ensure that all devices, PC’s, mobiles and tablets etc. are all set to update themselves automatically, as new versions become available.
A full copy of the report can be viewed here: https://go.recordedfuture.com/hubfs/reports/cta-2019-0319.pdf
Ransomware or Wiper? LockerGoga Straddles the Line
The Cisco Talos Intelligence team have released another excellent blog post which details the investigation into a destructive Ransomware variant known as LockerGoga.
Like other Ransomware variants LockerGoga, encrypts the contents of the victim’s machine, preventing access to the data and holding it to ransom. The attackers typically request payment via a crypto currency such as Bitcoin from the victim, before they release the decryption keys providing access to the data once more.
Certain versions of LockerGoga have been seen to logout users, preventing them from logging back in, leaving them with no means to access the system or decrypt the files, indicating a more destructive nature.
Initial infection is not currently known, but unlike other versions of ransomware the ransom note that is left on the machine does not include payment instructions, but instead just leaves details for contact the attackers.
This threat is still being monitored and analysed by Talos, so we can expect more information to follow as it becomes available.
As usual with these types of posts from Talos this is an in-depth technical write up so is not for everyone, but if you’re into your malware analysis details, then head on over to the Talos blog to read more.
And that’s it for this week, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #34 – 22nd March 2019
Ironshare – Security Simplified