Did ya miss us? Following a brief hiatus last week, we’re back on schedule and ready to bring you up to speed on the latest cyber security news!
It’s ‘sequel week’ for the last Threat Thursday of July, as some old and forgotten threats return for another shot at success. This week’s culprits are:
The Week in Cisco
Cisco packed a minor drama into this past week, as a critical flaw was discovered, divulged and eventually (if inevitably) exploited in the wild – all in the space of 3 days.
The exploit, discovered by Positive Technologies and divulged in a bulletin last Wednesday, relates to a flaw in Cisco’s Adaptive Security Appliance and Firepower Threat Defense software. Identified as CVE-2020-3452, it allows “an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system”. If you like your security reports with extra added geekery – and hey, you’re in good company - then there’s some minor technical details included in the bulletin.
As the bulletin states, an update has been released for the flaw and, if the latest report from the house of Cisco is anything to go by, you’ll want to apply it sharpish. Not half a week since the bulletin released, Cisco reported that the flaw was being exploited in the proverbial ‘wild’, with public exploit code made available in no time at all.
We’d advise checking the bulletin for compatible versions of this update; a number of ASA and FTD versions have now entered ‘end of software maintenance’, and only a move to a later iteration can address this vulnerability.
It’s Been a While – So Here’s a List of the Latest Malware to Have Hit the Google Play Store
We cover the Google Play Store’s frequent malware issues regularly on the Threat Thursday blog; not with the intent of discrediting the company, but to reiterate just how easily cyber criminals can infiltrate and operate - even from the most benign of sources.
In a report by WhiteOps, 29 malicious apps were found polluting the Google Play Store this week, with over 3.5 million downloaders affected by at least one of them. The campaign has been dubbed CHARTREUSEBLUR by the fraud protection experts; partly because many of the apps feature the word ‘blur’ in their name, and partly because, according to their report, ’it’s fun to say and the liqueur is tasty’. I’m liking the style of these WhiteOps guys, frankly.
And ‘blur’ is indeed the watchword of this payload; not only do several of the malicious apps claim to be photo blurring software, but the malicious, ad-laden payload is a keen obfuscator itself. It uses a number of tricks to hide the malware within the app code and employs the bare minimum of legitimate content to pass Google’s Play Store checks.
The full list of dodgy apps is available in the very link you’re reading now. If you recognise any of these as being on your device, best to delete them as soon as possible. The good news is that Google have since deleted these from the Play Store – so there’s no danger of any further inadvertent downloads that we know of yet.
Emotet Awakens from Five Month Slumber, Hungers for Contact Details
Yep, it’s back. And it’s got a new trick.
The once-prosperous botnet that is Emotet seemed to have calmed down operations over the past few months, but has now returned with another spam email scheme that elaborates on its previous MO.
Emotet has, for some time now, been pretty adept at disguising its campaigns as legitimate chain emails, with convincing, malware-laden files that encourage its victims to open them. Yet James Quinn, a threat researcher at Binary Defense, revealed to Bleeping Computer that the botnet was taking the practice one step further.
Emotet’s email stealer model – which hijacks legitimate emails and sends them out as its own – now has the ability to hijack the email’s attachments too, as well as their contents and contact lists. In targeted attacks, this is a very smart technique, leveraging files that may already be doing the rounds at an organisation. These are often important files too – invoices, shipping requests, even job applications – so there’s always a convincing reason to open them.
As with the last reported instance of Emotet, it is still relying on the Qakbot dropper to spread its malware payloads. As of yet, the full litany of malware is unknown, but a ransomware known as ProLock is said to have been the subject of multiple reports.
Emotet is a smarter, more widely-spread malware than what usually ‘graces’ the pages of Threat Thursday, and these recent developments reveal exactly why. Be extra, extra cautious of any emails you receive in future – and be sure they’re from recognised senders.
Universities Challenged and National Trust Lost in the Ever-Escalating Blackbaud Hack
We can now add the UK’s National Trust to the list of institutions affected by the cloud computing provider Blackbaud.
Blackbaud were the victims of a successful ransomware campaign back in May – but only advised the companies affected by the same breach earlier this month. Those affected include several UK universities, including Leeds, Oxford and South Wales; charities such as Sue Ryder and Young Minds; a number of early educational institutes worldwide; and several public museums in the UK and abroad.
The attacks seem to be targeting the details of charitable donors, and while no card payment details were compromised, some worryingly telling details were, including names, addresses, estimated wealth and – getting creepier as we go down the list – a history of philanthropic acts and the likelihood that a bequest be made upon death. It makes sense, when stealing personal details, to go after people with a legacy of charitable outgoings after all.
Blackbaud’s delay in advising affected customers has proven controversial, as has their decision to pay the cyber criminals their requested ransom – a decision strongly advised against by security specialists and law enforcement, as it potentially puts more funding into the pockets of cyber criminals worldwide. Time will tell how this reflects on the future of Blackbaud.
Well, I think that’s everything for this week – join us same time, same place next Thursday for the latest in cyber security news.
Or why not have us come to you?
Drop your email address in the box on the right➡️, and we’ll make sure you get the latest Threat Thursday updates in your inbox every week.