It’s Thursday once again, and the ever-reliable Mirus team have another Threat Thursday to get you up to speed on the week’s latest threats, vulnerabilities and patches.
It’s another big one this week, so let’s waste no time jumping in:
Oh, Sodinokibi Off! Malware Authors Encourage Illicit Behaviour in Sponsored Hack Code Contest
Time to step up your game, because hackers are certainly about to step up their own. The developers behind nobody’s favourite Ransomware, Sodinokibi, are encouraging have-a-go hackers to write Advanced Persistent Threat attacks in a contest taking place on the Dark Web. Goody.
The collective is offering a princely $5,000 dollar sum – no doubt extorted from its hapless victims – to anyone who can write the best proof-of-concept articles or videos demonstrating the effectiveness of their own APT code. While it seems that prizes aren’t handed out explicitly for successful hacks, the contest’s encouraging of ‘video essays’ will no doubt encourage a few ‘demonstrations’ on businesses and charities worldwide.
Because hackers are such a charitable bunch, the Sodinokibi collective are even offering one lucky coder the chance to work alongside them on further malware projects; potentially from a parent’s basement somewhere, smelling faintly of sweat and stale Red Bull.
In other words, we haven’t heard the last of Sodinokibi yet. With these new attacks, the collective seems to be broadening its horizons, moving away from the typical ransomware and phishing techniques. In the instance of an APT attack, your best defence is typically your company’s cloud, hardware and software firewalls; now might be a good time to review yours.
Snake Malware Slithers Into Industrial IT
Security Firm Dragos has released details of a recently discovered Malware called EKANS – or SNAKE, if you insist on reading everything in reverse. Believed to have emerged in December last year, EKANS is ransomware that not only holds infected systems hostage, but also boasts the chilling ability to stop processes in industrial control systems (ICSs). In other words, it’s capable of high-level industrial sabotage, compromising company equipment as well as the computers that operate them.
Currently, 64 different software processes are thought to be targeted by Snake, with many of them related to ICS functions. There’s a laundry list of affected processes on Dragos’s official blog, including FLEXNet Licensing Service, Microsoft SCCM, Honeywell HMIWeb and ThingWorx Industrial Connectivity Suite.
Files encrypted by EKANS will have their file extensions changed to a random, five-letter string and a suffix of “EKANS”. As expected, a ransom note placed among the affected files alerts victims to their plight, demanding the usual monetary payment to get their files unlocked; we always recommend not doing this.
As with any ransomware, it’s important to have the necessary protections in place and – just as crucially – ensure your team are adhering to strict cyber security rules. That means only visiting trusted sites, only opening identifiable emails and never opening unexpected files. That’s how they getcha.
EmoCheck Yo’self Before You EmoWreck Yo’self
Emotet was voted 2019’s worst malware - that’s worst as in ‘nastiest’, not worst as in ‘least effective’. So it stands to reason that suspicious users will want to ensure their systems are Emotet-free. Step forth Emocheck, a utility developed by Japan’s Computer Emergency Response Team.
Windows users can easily scan their machine for the troublesome trojan using this handy little app – although do note, it doesn’t actually remove the virus. Nonetheless, any compromised process IDs will be revealed, allowing users to end the offending process from within Task Manager. It could also help identify compromised machines within a network; an effective first step in the prevention of a full-out ransomware attack.
The timing of EmoCheck couldn’t have been more appropriate; the latest Emotet campaigns are targeting American tax payers with false W-9 forms, as well as Japanese citizens with fake Coronavirus updates. Opportunism, thy name is Emotet.
Of course, EmoCheck is no replacement for a dedicated Antivirus solution, nor for regular cyber security training; but it’s encouraging to see that in the fight against cybercrime, enterprising tech experts are willing to give a helping hand.
You can download EmoCheck here, for free: https://github.com/JPCERTCC/EmoCheck/releases.
Evil Corp Remains On-Brand; Returns With All-New Method of Attack
We’ve encountered a lot of poorly-named malware and hacker collectives here on Threat Thursday - Shlayer, DeathRansom, Snatch – but we have to draw the line at ‘Evil Corp’. Somebody on that team wasn’t even trying, were they?
Terrible name aside, Evil Corp have nonetheless orchestrated some pretty impressive heists in the past, having stolen an estimated $100 million from people and businesses worldwide. Global law enforcement, presumably a little miffed at their antics, had forced Evil Corp into hiding after sticking a meaty $5million on the head of their suspected leader, Maksim Viktorovich Yakubets. While he and his associate Igor Turashev were arrested and eventually charged in December last year, it seems Evil Corp has returned with a brand new phishing scam. Well, brand new to them, at least.
Evil Corp’s latest technique involves URL redirects hidden in the body of phishing emails; these redirects send victims to an Excel spreadsheet download with editing enabled. Once the user clicks the magic ‘enable editing’ button, Evil Corp dumps its favourite trojan, GraceWire, all over a user’s systems.
This is the first time Evil Corp has used URL redirects in its infection attempts, as opposed to simply sending infected files or links to bug-addled websites. It’s thought that the redirects, which potentially link to multiple websites, ensure that Evil Corps can keep sending victims to the malware, even as some of those malicious sites are taken down. It might also indicate that Evil Corp are making the extra effort to cover their tracks. Personally, with a name like that, I wouldn’t want to be publicly identified either.
WhatsApp Desktop App Lets Hackers Rummage Through Your Files
A critical vulnerability in the WhatsApp desktop client could have given hackers remote access to files on Windows or Mac operating systems, it has been revealed.
The vulnerability, known as CVE-2019-18426, is a combination of security flaws across both the WhatsApp desktop app and its associated web client. Remote hackers, using cross-site scripting, could exploit these flaws within WhatsApp’s Content Security Policy. This would then allow for Remote Code Execution attacks allowing access to, and the subsequent fudging-up, of files on the network. However, the exploit relied on victims clicking a link preview within a specially crafted, malicious text message to work.
Facebook, the owner of WhatsApp, has since amended the flaw, which affects all versions of WhatsApp desktop before v0.3.9309 that are paired with any WhatsApp for iPhone version older than 2.20.10. If you rely on either of these in your business communications, now’s the time to make sure they’re updated to these iterations or later.
Avast, Matey! This Scurvy Runnin’ of Rigs Will See Ye Dance the Hempen Jig!
(Translation: “Avast Antivirus, my good sirs. Your recent and unsolicited slurping of customer data is most assuredly unwelcome. I would advise you to desist lest the consequences be dire”).
What’s the true cost of a free Antivirus solution? According to Czech-based cybersecurity firm Avast, it’s your private and personal browsing data… which kind of devalues the whole ‘online security’ angle, we’d argue.
In a joint investigation by PCMag and Motherboard, it was discovered that Avast’s free Antivirus software was subsidised by the sales of its users’ browsing data. A subsidiary of Avast, named Jumpshot, harvested the browsing data of millions of Avast users and packaged them to a laundry list of companies for advertising purposes. Companies purchasing this sensitive data included Yelp, Microsoft and Google.
Alongside its users’ browsing data, the data harvested included GPS coordinates, YouTube video views and, in some instances, the precise search terms users might have entered on some of the net’s ‘seedier’ websites. You might have deleted that search history, but Avast has the receipts, you deviant. In response, Mozilla and Opera have removed Avast’s Antivirus software add-ins from their respective browsers, which themselves are marketed as secure and data-conscious.
Following the expected outcry, Avast revealed at the end of last week that they would be shutting down the $180 million Jumpshot business.
While not strictly a threat, this whole story is testament to the importance of a respected, specialist Antivirus solution. While we’re sure no business is protecting itself behind a free one (at least, we’d certainly hope so!), it does demonstrate that you get what you pay for with security solutions; if you’re not paying any money, you’re paying with something far more valuable instead.
And that’s another hefty Threat Thursday in the bag. Next time, why not get it in your inbox instead?
By signing up to the Threat Thursday newsletter, you’ll get all the latest cyber security updates mailed to you every week – simply fill your contact details in on the box on the left of this page!