Welcome back to your regular weekly rundown of pertinent cyber security threats, updates and bulletins.
The threat actors are at it again this week – doubling down on old efforts and improving new ones in attempts to compromise our safety. Let’s get to it…
Unlike ‘Cisco’ Puns, There’s No Shortage of Router Software Vulnerabilities
Cisco are becoming something of a regular name here on Threat Thursday – but when you’re responsible for as many products and as much software as the Californian tech giant, it at least inspires confidence that they can identify security issues so quickly. I just wish I hadn’t exhausted all my ‘Panic at the Cisco’ headlines so prematurely.
The latest bulletin from our Silicon Valley associates warns of an exploit that’s already being exploited in ‘The Wild’, carrying a ‘high’ severity rating and scoring an 8.6 on the CVSS scale. It affects all Cisco devices utilising Cisco’s Internetwork Operating System.
This latest wireless woe would allow attackers to inflict a ‘memory exhaustion’ attack on affected devices, following a successful remote infiltration.
Resource exhaustion attacks, for some crazy reason, are yet to have been covered on the pages of Threat Thursday, so here’s a Laymen’s breakdown: they’re similar to Direct Denial of Service attacks (DDoS), which exploit flaws in software to overload, crash and eventually hang the inflicted system. While not inherently a threat to your data security, they’re certainly an effective means of sabotage should an especially mean-spirited hacker have you in their crosshairs.
Cisco are currently working on a software update to fix the exploit, but until then, their advice to administrators is to enable the “show imgp interface” command and determine if multicast routing has been enabled. If the output comes up empty, you’re in the clear.
‘Charming Kitten’ has Claws, is Less Charming Than Advertised
We’re a team of cat-lovers here in the Mirus Marketing department, so when you besmirch our feline friends the way the ‘Charming Kitten’ group has, we’ve got to put our feet down.
‘Charming Kitten’ is an Iranian Cyberespionage collective (boy, does my spellchecker hate that word), targeting such high-profile sectors as government and defence. Already witnessed impersonating the Jewish Journal in and Deutsche Welle media groups, they’re now leveraging emails, WhatsApp and LinkedIn messages to infect their victims with malware.
It seems the threat actors are in this for the long game, too. Conversations with their victims begin with an otherwise benign email, the bait being an invitation to speak in an online webinar. From here, having gained the victim’s trust, the conversation moves to WhatsApp or LinkedIn, whereby a malicious ‘Watering Hole’ link is presented and info-stealing malware can be delivered to the victim’s device.
In what’s fast-becoming a highly educational edition of Threat Thursday, allow us to cover how a Watering Hole attack works – because if memory serves, we’ve not covered one before.
For a Watering Hole attack to work, a criminal must identify two things; their victim, and a website that victim might frequently visit. They scope the site for any vulnerabilities and inject it with malicious code – that’s your watering hole. From here, all that’s left to do is convince the user to visit the infected area of this trusted and popular site, whereby the malicious code will be ready to pounce.
Doubling down on their tenacious nature, some members of Charming Kitten have even gone so far as to contact victims by phone to gain their trust and make them click on their shady link. Guess that’s where the ‘Charming Kitten’ name comes from, hey?
Active since 2017, Charming Kitten have targeted all sorts of targets with political, fiscal or social sway, and if this latest campaign is anything to go by, are getting even more insistent.
This recent spate of attacks was first reported by ClearSky, who themselves fought off an attempted Kitten invasion in 2018. There’s an excellent writeup on their findings here.
Mother Duck Said: “Qak Qak Qak Qak”; Notorious Trojan Came Swimming Back
Qakbot, last seen getting chummy with the ProLock ransomware in May, has returned with a brand new batch of cruel capabilities.
Following months of close examination, Check Point Research shared their findings in a mind-bogglingly thorough report last week.
While Qakbot continues to steal logon details from infected devices, nab credit card details, install malware and ransomware and allow remote access to hackers, it now also has the wonderful ability to hijack a victim’s email threads and use these to infect further contacts and their devices. Joy.
Qakbot rarely disappears for long, often returning quicker than expected and boasting devastating new abilities. It’s clearly a high-profile threat too; it disproportionately targets government, military and manufacturing industries in the pursuit of financial details. To give you an idea of Qakbot’s aspiration, retail and financial institutions are barely in the group’s top ten targets.
As is almost always the case, a successful Qakbot infection begins with a phishing email and a momentary lapse in the target’s judgement, so no matter how devastating Qakbot can be, it can always be avoided with vigilance. As always, familiarise yourself with the tell-tale signs of phishing, and treat unrecognised files and emails with scrutiny.
Not since Orville’s bizarre mid-2000s resurgence has a duck-based entity been so unwelcome.
When it Comes to Phishing, Threat Actors are Picking Up the Slack
The rise in home working solutions has accelerated the trend among hackers of hijacking collaborative platforms. From Zoom-bombing to fake Office 365 links, wherever there’s people and plenty of file exchanges, there’s an enterprising cyber criminal looking to strike gold.
So here’s our latest casualty, Slack-Files.com. In a report from KnowBe4 – who unveiled the Canva phishing scam two weeks ago – it’s been revealed that the file-sharing component of the popular collaborative platform has been leveraged to host and distribute malicious files to victims of phishing campaigns.
Slack-files.com, as KnowBe4 explains, is typically used to host files which have already been shared through the Slack platform; the assumption here is that the hackers are creating an online presence for their malicious files by deliberately sharing them amongst one another on their own Slack channels. From here, it’s as simple as creating an external link to those files and sharing it via the usual channels – the ol’ phishing email trick we know and love.
The emails used in this particular scheme seem to follow a very similar format – suggesting only a small group or campaign at work – and appear to be the typical ‘invoice’ style of false emails. Many of the links and redirects also send users to convincing credential-phishing websites, once again made to look like legitimate online services, such as Office 365.
While there’s nothing new about any of these techniques, they do demonstrate how, when phishing attempts don’t evolve, they instead become more prominent. So keep those eyes peeled.
Rotten Apple: MacOS Sees No Problem With Trusting Prevalent Malware
Failing to notice a malware threat is one thing; scanning it, approving it and allowing its distribution across your operating system is quite another indeed. And yet earlier this week, Apple allowed the Shlayer malware to pass its notarisation process.
Apple’s notarisation process is designed to automatically scan new Mac software for untrusted or malicious code; any software that doesn’t pass its test is, in later version of the MacOS, prevented from being executed on the system. It’s a little more complex than this, of course, but in the interest of meeting our Thursday deadline, here’s a more in-depth explanation from the ever-informative Malwarebytes.
What’s doubly baffling is that Shlayer is no new threat; we’ve covered it a couple of times on Threat Thursday before. Further adding to the unintentional comedy is that once Apple grew wise and withdrew notarisation for Shlayer on the 28th, the developers got around the problem by… er, changing the code slightly and submitting a marginally different version.
In his in-depth writeup over on objective-see, researcher Patrick Wardle notes: “Both the old and “new” payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware”. Womp womp.
Apple’s notarisation process has always been a controversial approach to a complex certification system. It appears that bungles like this can only justify that scepticism.
Right class, cyber school’s out for this week – but we’ll be back at the same time 7 days from now where our cups shall no doubt runneth over with more cyber security news.
Until then, why not sign up to our Threat Thursday newsletter?
We’ll be back the same time and place next week – or why not drop your email address in the box on the right➡️, and we’ll make sure you get the latest Threat Thursday updates in your inbox every week?