Another week, another Threat Thursday to feast your cyber-conscious eyes on!
This Thursday, 2 nasty new malware threats continue to target enterprises worldwide while the NHS Track and Trace suffers further security shockers.
Let’s kick the week off with a segment that’s recurring by necessity rather than choice….
The Covid-19 Parade, 04/06/2020
Yes, the deluge of Covid-19 related phishing threats continues to spew forth like effluence from a ruptured bilge pump. This week’s threats include:
(F)Unicorn, a hitherto unseen ransomware strain, is leveraging Italy’s Covid-tracking app Immuni to spread itself around. Distributing itself via fake Immuni apps delivered through unofficial channels (yep, phishing emails again), (F)Unicorn slowly compromises mobile devices before demanding a €300 payment for a decryption key. Currently only targeting Italian users, it remains a cautionary tale on downloading from anything other than the legitimate channels, and it’s not hard to imagine this becoming a post-Brexit import we could probably do without.
Google’s Threat Analysis Group (TAG), has also warned of rising ‘Hack for Hire’ threats, specifically those impersonating the World Health Organisation. While most of these schemes can be traced back to India, these emails are targeting businesses worldwide with the intent of hijacking their victims’ login credentials. The WHO is fast becoming a commonly impersonated authority when it comes to phishing campaigns, and as the week’s go on, it’s shrewd to treat any emails that claim to be from this respected organisation with intense scrutiny. You can read Google’s threat report right here.
Finally, the NHS Test and Trace scheme (itself something of a data security red flag) is already being exploited by Smishing attacks. Fake SMS messages, seemingly being fired off to UK numbers indiscriminately, are duping recipients into thinking they’ve been in contact with the Coronavirus and linking them to credential-stealing URLs. It seems this is another opportunist take, targeting phones in the hope that Test and Trace users will take the SMS seriously. Treat any such SMS messages with the exact caution you would an email; question the links, the user, and whether you were even expecting such a message.
New Ransomware Forcing Enterprises to Pony up the Goods
Continuing this week’s curiously equestrian theme (although Unicorns are yet to be recognised by leading zoologists), Microsoft Security Intelligence have warned of another long-faced, hooved hijacker that’s been doing the rounds for the past two months.
PonyFinal’s a Java-based, human-operated ransomware that enters company system servers via crude brute-force attempts. Microsoft themselves note the rarity of Java-based ransomware in their report (well, their Tweet) here, but emphasise that this is far from the ransowmare’s most unusual trait.
In a series of follow-on Tweets, Microsoft reveals how PonyFinal appears to target or install the Java Runtime Environment (JRE) to get itself up and running. Then it just…waits.
Yes, rather than bolt straight out the proverbial barn door, PonyFinal’s human operators can instead choose the precise moment to unleash their saddled saboteur; typically the moment they deem their victims’ systems most vulnerable. Upon successful infection, victims are directed to a newly-created file named ‘README_files.txt’ which proclaims:
“All your important files were encrypted on all computers. You can verify this by click on see files an try open them”. That’s their grammar, not mine. What follows is a demand for 300 Bitcoins (an unrealistic £2,283,608 at the time of writing) and instructions on how best to throw that money into the ever-so-virtuous industry of cyber crime
Suffice to say, this is not an infection you can fight off or discover with simple phishing training, and full protection and preparation across all servers is paramount to staying protected.
Apple Jailbreak is Back in the Clink
The ‘unc0ver’ jailbreak, first revealed by the embarrassingly named ‘Pwn20wned’ on Twitter on May 23rd, is designed to ‘open up’ iPhones, removing Apple’s tight restrictions on the use of the hardware, its systems and its apps.
While jailbreaking isn’t necessarily a threat in itself, it is frowned upon by hardware manufacturers and device warranties. More pressingly, it potential opens devices up to all sorts of vulnerabilities, as you might imagine with an ‘anything goes’ environment. And if you’ll humour us for just a second, might it be possible for the same vulnerability to be exploited for other, more unwanted nasties?
Well, it matters no more; while the exploit, known as CVE-2020-9859, covered almost all iOS versions from 11 up to 13.5, it was fixed in a patch this July 1st. Now would be a good time to apply those latest updates if you haven’t already.
The Update Down-low
Thankfully, Covid-19 threats aren’t the only recurring theme in Threat Thursday – there’s also some good news in the form of the latest OS updates.
This Monday saw Android release their most recent monthly Security Bulletin, in which 4 critical security bugs were squashed. Half of these critical exploits were related to Remote Code Execution (RCE) vulnerabilities, and affected Android versions 8 through 10. A number of remaining high-security flaws were fixed, ending numerous Elevation of Privelege (EoP) exploits that could see hackers navigating their way to higher administrative functions.
Apple, meanwhile, have released updates for all their current-gen operating systems, including the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and 7th Generation iPod touch. There’s also security updates for macOS, now on Catalina 10.15.5, which has received a supplementary update.
While Apple is never too keen to disclose the full details of their updates, they have at least confirmed a fix for their zero-day Jailbreak exploit; it’s likely that these at least supplement those protections.
And that’s all the most potent threats scuppering UK users and businesses this week. If you’d like the latest cyber security news delivered straight to you in future, why not join the Threat Thursday mailing list? Simply leave us your email in the box on the right, and we’ll send the latest news straight to your inbox every week!
In the meantime, why not sign up to our weekly Threat Thursday emails?
All the latest cyber security news sent straight to your inbox; simply drop your email address in the column on the right ➡️ of this page, and we’ll add you to the mailing list.