<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=156961&amp;fmt=gif">
Threat Thursday 02042020

#ThreatThursday | 2nd April 2020 | Cyber Security Updates

With the way of the World right now, we’re living almost our entire working lives online. Let Threat Thursday be your weekly guide to staying safe on there.

This week: Zoom leaves the backdoor open, Zeus Sphinx emerges from the sands and a pandemic can’t keep the cyber criminals down.

We’re All Zoomed: Popular Conferencing App’s Security Policy Raises Some Eyebrows

Zoom is fast becoming one of the most widely used conferencing apps available; we’d almost call it ‘popular’, if teleconferencing wasn’t a universally hated endeavour. However, its renowned interest has brought with it some discomforting insights from infosec experts – who have serious misgivings about the app’s privacy policy, as well as its recurring security issues.

Now, we have to be fair here; the much-publicised act of ‘Zoom-bombing’, in which uninvited participants enter a Zoom chat and start wreaking havoc, is not necessarily a flaw of Zoom itself. Rather, it’s an oversight on behalf of the chat organisers, who may have posted links to their Zoom chat in a public forum, not password-protected their chats, or not enabled the ‘Waiting Room’ feature, where participants are given manual entry by the host.

Users should also be aware of fake Zoom domains, which cyber criminals have been snatching up recently in attempts to exploit the app’s popularity; these are being used to phish for a user’s Zoom credentials using these to infiltrate the victims’ private meetings.

Yet while exploitation such as this is par for the course for any popular app, Zoom’s security and privacy concerns are an altogether more troubling beast. The Intercept suggests that Zoom’s end-to-end encryption isn’t quite up to the standard we’d expect – and might not even fit the definition of ‘end-to-end encryption’ at all. Coupled with its very loose rules around user’s personal data and its relationships with data giants such as Google and Facebook, organisations may want to keep a closer eye on Zoom’s practices if they’re to maintain their remote working security.


If You Love Your Inefficient Security So Much, Why Don’t You Just Marriott?

Marriott Hotels has suffered from a data breach, compromising 5.2million of its guests’ private data. No, you haven’t travelled backwards in time; this is indeed the second data breach the hotel chain has suffered in 2 years.

In response to this discovery, the company issued a statement online, claiming:

“…Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests…”

Personally identifiable details, account numbers, birthdates, linked airline loyalty programmes and a host of other sensitive data are believed to have been compromised in this breach; perhaps the only details thought not to have been breached include PINs, payment card information, passport numbers and driver’s licenses. Even then, their safety cannot be confirmed.

As recently as July last year, Marriott were fined £99.2 million for a breach in November 2018, so this extra security blunder has turned a cautionary tale into a veritable comedy of errors. Only, you know, nobody’s laughing.

If you’re a Marriott customer, now’s the time to follow the company’s advice, get in touch with the relevant helpdesks and start amending your Marriott account security.

In the meantime, take this opportunity to reflect on your cyber security basics. This is a breach that could easily have been avoided by monitoring account activity – which may well have highlighted these hijacked login credentials being used incorrectly. Similarly, stricter password policies and training might even have prevented these credentials from being compromised in the first place.

Coronavirus Continues to Fuel Cyber Crime Efforts

As if Covid-19 wasn’t damaging enough, it’s fuelled a spate of related threat campaigns in the past couple of weeks.

Recent phishing campaigns have leveraged public interest in the Coronavirus, with false emails pertaining to confirmed cases now being used to scrounge a victim’s details. What’s new in this latest spate are the tactics used to evade advanced threat protections, with a combination of both spoofed and legitimate IP addresses bypassing loopholes in Proofpoint and Microsoft Office 365. Anyone receiving an email claiming “HIGH-RISK: New confirmed cases in your city” in the subject line would be wise to ignore it – or better yet, delete it immediately.

Elsewhere, a new malware by the frankly lazy name of ‘Coronavirus’ has emerged, aptly named if only because no known defences exist and the symptoms are pretty darned nasty. As a ‘Wiper’ malware, Coronavirus thoroughly decimates a victim’s PC by rendering the Master Boot Record unusable. Cruelly, upon infection, the malware reboots the user PC and places a pop-up window explaining the situation, while kindly offering a ‘Remove Virus’ option.

Clicking this option, however, results in the following grammatically questionable message:

“Hello! If you see this message is because your computer has infected by Coronavirus! Please don’t waste your time, Task Manager are disabled and you can’t terminate this process! If you close this window it will appear again! so, one more time, DON’T WASTE YOUR TIME!”

The final insult is a grey screen and the simple message: “Your computer has been trashed”.

It’s unclear what the point of the whole thing is, frankly, but you can read more on this discovery over on SonicWall’s Capture Labs report, here.

Lacking from SonicWall’s report is just how the virus is spread - though we can presume it’s most likely via traditional methods – and just how widespread the campaign is. We can only hope it’s not half as prevalent, or indeed as dangerous, as its real-world counterpart.

This Resurfaced Banking Trojan Really Sphinx

And yes, that was the best pun I could come up with.

Zeus Sphinx, which had taken a five-year sabbatical from being a complete jerk, has emerged from the sands to once again wreak havoc. The banking trojan, like so many others right now, is seizing the opportunity to leap onto the Covid 19 pandemic and is targeting victims with spam emails.

These emails promise Covid-19 relief payments, suggested both in the email’s subject lines and the attached malicious files. Upon opening the files – typically occurring in .doc or .docx format - Zeus Sphinx is installed on the victim’s machine and the user is redirected to a targeted page. From here, the user is tricked into divulging their confidential banking details, which are sent back to the perpetrator via Zeus Sphinx’s C&C Server.

The discovery was reported recently by our incredibly titled friends at X-FORCE IRIS, which I have capitalised here for appropriately dramatic effect. You can get some in-depth reading on the malware’s coding, actions and delivery methods in their report right here.


There’s still time to once again rate this week’s major threats on the quality of their names alone…

Zeus Sphinx:
It’s been five years and the developers still haven’t settled on the one ancient civilisation to pull its deities from. 3/10

Just because it’s rotten doesn’t mean you get to name it after the worst pandemic the world has seen in decades. 0/10

And let that be the last we hear of any malware, threats, viruses and spam campaigns. Until next week, of course, when there’ll no doubt be a whole new crop of them to contend with. Sigh

Threat Thursdays in your inbox

Want news on the latest threats straight to your inbox?
Sign up for the regular Threat Thursday newsletter by slapping just a few details in the box on the right, and we’ll keep you posted every time a new Threat Thursday is published! 


Would you like to comment, or leave your thoughts?

Recent Posts