Time for more cyber crime shenanigans, as this week’s Threat Thursday explores a critical vulnerability in Microsoft Exchange Server.
Elsewhere, two trojans join forces, two browsers shake some critical vulnerabilities, and one global pandemic ruins everything. Again.
Browser Snakes: Chrome and Firefox Rid Themselves of Code Execution Vulnerabilities
Both Google Chrome and the connoisseur’s choice, Mozilla Firefox, have received some important security updates, squashing some serious code execution vulnerabilities in both apps.
Let’s start with Chrome. The 80.0.3987.162 update, available now, fixes flaws in the Mac, Windows and Linux versions of Chrome. In severe cases, these vulnerabilities would allow for an attacker to execute malicious code from within the victim’s browser – that’s according to a report by the Center for Internet Security (note the American spelling of ‘centre’, there). For smaller businesses and government entities, these flaws are listed as medium risk, though that risk increases with company size, reportedly. Depending on the privileges enabled within Chrome, a successful breach could result in full data compromise, allowing the viewing, changing and deletion of data. Whatever size your business – and with many of your users likely running on various different Chrome versions since home working came into effect – now might be the time to force an update across your business if you haven’t already.
Meanwhile, Mozilla Firefox’s zero-day vulnerabilities allow for similar misdemeanours, and have already been exploited via targeted attacks “in the wild”, as we cyber folk like to call it. The bugs impact Firefox software on Windows, Mac and Linux, and all versions before 74.0.1 are considered vulnerable. Once again, the folks at the aptly-titled Center for Internet Security have the lowdown. As always, make sure you and your users are protected behind these newest versions..
What’s That? Another Covid-19 Phishing Campaign? You Don’t Say!
I mean, what else is there left to say? Threats relating to Covid-19 are ten a penny now, and if there’s anything exciting left to say about them it’s that they at least have the decency to use a different malware every now and then.
So, which one is it this week? LokiBot, you say? And it’s delivered via a malicious attachment in an email claiming to be from the World Health Organisation? Sure, fine, just put it in the pile with the rest of them.
Before then, however, let’s at least familiarise ourselves with the email’s warning signs so we know just what to look out for. Care to help us out with your recent report here, Fortinet?
Let’s start with the expectedly cynical use of a reputable organisation in an attempt at authenticity. Yep, that’s strike one; the email claims to be from the World Health Organisation and the Centre for Disease Control. Ironically, the English use of the word ‘centre’ is incorrect in this instance. As an American organisation, the Center for Disease Control spells its name with an ‘er’. I know it looks weird, but go easy - those poor guys haven’t even adopted the metric system yet.
Speaking of which, how’s the rest of the spelling and grammar? Surprisingly not bad; definitely above the barely legible nonsense we’re used to in Phishing emails. Some apostrophes wouldn’t go amiss but all in all, this has a far more professional tone than we might expect. Don’t let that sway you.
So where’s the malware hiding? In none other than the attached file: “COVID 19 – WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj”. Spot the two file extensions? .Zip is a common one, but not .arj. One can’t help but wonder if the .zip is an attempt at misdirection; it’s more recognised than the .arj file type, which is specific to the ARJ archiver software. I wouldn’t suggest clicking it to find out.
The file itself, when opened and extracted, is riddled with LokiBot; an infostealer that nabs stored passwords from email applications and browsers, as well as numerous other credential resources.
Look, we can’t overstate how important it is not to open any unknown files, especially those from unexpected emails; but we can’t overstate how bored we are with these Covid-19 campaigns, either. Eventually, we’ll all learn to ignore them, and they won’t be half as valuable as their manufacturers once predicted. A bit like Beanie Babies.
FIN6 and Trickbot, Sittin’ in a Tree, H, A, C, K, I, N, G
It’s adorable how technology can help bring people closer together; unless of course, those people are the developers behind recurring villain Trickbot and cyber crime collective FIN6.
FIN6 (otherwise known as ITG08, which rolls off the tongue much less convincingly) have only gone and left lipstick stains all over some recent Trickbot attacks, demonstrating that the two have joined forces. IBM X-Force are once again the team behind this recent discovery, whose report details a spate of attacks being set up by initial Trickbot infections, and then being targeted by techniques most commonly found in FIN6’s repertoire. The collaboration would make sense; With TrickBot being a banking trojan and FIN6 regularly targeting point-of-sale systems and enterprise networks, the two have broadened one another’s horizons with serious financial-stealing potential for both.
So that’s nice.
This now puts financial institutions, hospitality providers and the retail sector at a greater and combined risk, making proactive security arrangements a must. With both teams collaborating and their targeted campaigns now broader than ever, the combined risk is nothing to be dismissed.
Microsoft Exchange Severs Getting Breached? Guh, that is soooo February 2020!
If you’re one of over 80% of Microsoft Exchange Server users who still hasn’t installed February’s essential update you may want to - as my old man used to say - pull your proverbial finger out.
According to analytics from the researchers at Rapid7 Labs, at least 357,629 of the 433,464 Exchange servers were observed to be vulnerable. That’s 82.5%.
The reason you’ll want this sorted as soon as possible is that the patch covers a borderline critical vulnerability that allows infiltrators to perform remote code executions with system privileges. Spoiler: you don’t want that. What you do want, however, is to ensure that update is applied; the link above has a handy ‘Taking Action’ section that’ll explain the process.
We’ve still got time to critique the naming conventions of this week’s threats:
LokiBot: I mean, you might as well name your malware after the Norse God of Mischief, especially given his penchant for shallow pleasures, cowardice and selfishness. 8/10
FIN6 / ITG08: Whatever name you choose to go by, it’s still completely indiscernible from that of a print cartridge’s serial number. 2/10
And that’s your lot for this week! Join us next Thursday for the usual rundown – or why not have Threat Thursday reports sent directly into your inbox?