It’s been 7 days, and that’s all the time we need to compile a gaggle of all new cyber threats. Welcome to Threat Thursday
This week: hackers take the fight to themselves, Office 365 apps are a cunning new attack vector and Patch Tuesday still makes for dull reading
Turncoat OneNote Goes Totally Cutthroat; Changes Scope to Keep Campaign Afloat
Okay, I promise; I’ll stop writing these tenuous rhyming headlines one day, but only when you lot stop reading them.
Until then, be aware of a cunning new phishing campaign that leverages Microsoft OneNote – using it to bypass online protections and smear malware all over its hapless victims’ systems.
Discovered on Tuesday by researchers over at Cofense, this reportedly long-term campaign saw its user adopting OneNote as their own ‘Threat Lab’ of sorts, experimenting with different distribution methods and techniques in order to infect victims with the Agent Tesla keylogger. This personal phishing notebook was updated several times a day, often to reflect whichever new phishing technique the owner was trialling at the time. I mean, it’s resourceful, at least. By utilising OneNote, the threat actor was also able to bypass protections such as Microsoft Exchange Online, which treat OneNote as a trusted source.
So, what forms has this shape-shifting shyster of a OneNote taken? It’s been a sales invoice, linking to the OneNote and subsequently a credential phishing site; it’s been a fake Office 365 login, again for the purpose of credential stealing; and it’s linked to infected documents over GoogleDocs, Zoho and Microsoft SharePoint.
This scheme demonstrates that a hacker’s tools extend far beyond the usual phishing techniques, and that by smartly leveraging certain apps and services, they can use trusted sources to bypass threat detections. Once again, the best defence is your own key eye, and a knowledge of best practices when sent an unfamiliar email or attachment.
Hackers Find a Gap in the Market: Themselves
Slightly bizarre developments over in the booming cyber crime marketplace, as hackers have started injecting the increasingly-popular njRAT virus into other hacking tools – including SQL injectors, leaked credential validators, exploit scanners and site scrapers. Which is all very interesting, if frustratingly devoid of any logical motive.
And it’s been going on for quite some time too, if analysis from Cybereason is anything to go by. Discovering more than 1000 samples of the njRAT virus in the course of the investigation, and uncovering new ones on an ‘almost daily basis’, there could be a grander scheme at play here. Cybereason managed to trace a particularly revealing strand of the virus, found on one of the infected hack tools, to a compromised Indian website. Here, it was discovered that vulnerable Wordpress plugins on the site were being used as servers for the virus. They also believe that this latest strand can be traced to a Vietnamese individual, who purchased the expired ‘capeturk.com’ domain in 2018 and may be using the site for similar purposes.
The capabilities of njRAT allow complete access to infected devices, allowing for data theft, Remote Code Executions and DDoS attacks. While it mostly targets users in the Middle East, piggy-backing on other malware toolkits might see it spread epidemically over the course of other campaigns.
Whether this is the true goal of the campaign is unclear. For now, amateur hackers are being hoisted by their own petard, inadvertently compromising themselves in a bid to compromise others. This is where we all sit back, point and laugh, albeit nervously.
Microsoft Excel’s Got New Tickets to Paradise
The Paradise ransomware, which I’d wager is far less luxurious than it sounds, is a lesser-known infection that’s using even more obscure methods to infect company networks. Following a somewhat humble stint in 2017, it’s likely that the malware authors are attempting an all-new technique here in a bid for more lucrative results.
Much like the techniques used in the Agent Tesla campaign mentioned earlier, Paradise is now smuggling itself into the rarely used IQY file format; a basic text file that allows Excel files to download online data. While the format isn’t widely used, it is typically accepted as a legitimate file type and, as such, is rarely targeted by surface-level protections when it inevitably sails in on a phishing email.
The discovery, by LastLine, is thought to be a test of the waters for the Paradise developers, who have been quiet until this recent resurgence and aren’t responding to any messages made through Paradise’s thoughtfully included chat window, used to negotiate decryption prices between victims. How successful this test campaign is remains to be seen - especially now that the cat’s out of the bag - but in the great Ransomware revival, it’s yet another long list of smart new techniques to be aware of.
And Now, the Ever-Exciting Patch Tuesday Update
In dull but no-less important news, there’s a batch of critical updates for Windows users for this March’s Patch Tuesday. Coming in at a substantial 115 fixes – the biggest in the event’s history - there’s a heck of a lot to go through, which is exactly why we won’t.
What we will do is highlight a few of the most important issues, notably Remote Code Execution Vulnerabilities in Windows Server 2016, Windows Server 2019 and various versions of Windows 10. In fact, of the critical updates, almost all of them relate in some way to potential RCE vulnerabilities across modern Windows environments. The list of all of these is here. You know the drill – get patching.
That wraps up this week’s regular dive into the murky world of cyber threats. As always, be sure to come back next Thursday for more new Cyber Security developments!