<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=156961&amp;fmt=gif">
Threat Thursday Blog Header

#ThreatThursday | 20th August 2020 | Cyber Security Updates

Remember how we rejoiced at last week’s lack of major cyber threats? Yeah, that may have been a tad premature.  

Turns out our cheers didn’t go unheard, as the cyber criminals are out in force for this week’s entry. Let’s hold our noses and dive straight in, then. 

RedCurl Proves They’re Not Picky as They Target Multiple Countries and Industries

Well, cast a wide enough net and I suppose you’ll catch enough fish. That’s the thinking behind RedCurl, the Russian-speaking band of bandits whose 2-year campaign of carnage has targeted a range of industries across multiple countries, including the UK.

Uncovered recently in a rather splendid report by Singaporean cyber-sleuths Group-IB, the previously-unknown threat group appears to favour corporate espionage - contracts, blueprints, invoices, employee records – and is targeting industries such as construction, retail, finance and law firms. Not that picky then, but picky enough to target the heavy hitters. Threat Thursday Mirus IT

Over 26 attacks and 2 years, RedCurl have successfully compromised 14 target companies, thanks to intricately designed spear-phishing emails and a smart approach to targeting victims. According to Group IB, RedCurl conducted in-depth intelligence on each victims’ infrastructure, targeting specific departments and posing as company HR. The phishing emails were also intricately designed, adopting company logos, addresses and domain names to social engineer their victims towards malware-laden websites.

RedCurl’s a group that clearly knows what it’s doing, with the reach, software and scamming techniques to penetrate high-value industries. Our advice, as with any phishing email, is to thoroughly check the sender address. Remember, it’s a piece of cake to mimic a legitimate email address, so look further than the sender’s name and truly investigate the domain these emails are coming from.


An Unenviable Task for HMRC as They Investigate Tens of Thousands of Phishing Scams

Her Majesty’s Revenue and Customs, those ever-charitable scamps who want nothing more than to protect the sanctity of our finances, have their work cut out for them of late, as it was reported they’re investigating more than 10,000 phishing campaigns that are leveraging the Covid-19 outbreak.

Lanop Accountancy Group, who earlier this year exposed a similar scenario leveraging the Job Retention Scheme, published details of this colossal task following their own Freedom of Information request. The volume of Covid-related schemes was at its highest two months after lockdown begun, peaking in May before subsiding in tandem with the easing of lockdown.Threat Thursday Mirus IT

HMRC are an often-mimicked entity in phishing emails, owing no doubt to their authoritative presence and their sheer financial grunt. To combat the growing popularity of the scam, they’ve already forced internet providers to block access to identified fraudulent websites, and with 10,428 phishing emails reported, there’ll be plenty more to come.

Our advice? Treat any HMRC related emails that come your way with two keen and scrutinous eyes, especially if they’re promising financial relief. After all, this is the HMRC we’re taking about; they’re not exactly keen to chuck money at you.


Deception by Design: Online Graphics Platform Canva Abused by Phishing Campaigners 

And to demonstrate just how easy it is to create a fraudulent email, news emerged this week that phishers were using the online graphic design platform Canva as a tool in their phishing campaigns.


Canva allows users to easily create graphics, presentations materials and other visual content for hosting online; naturally, this has made it especially tantalising to enterprising hackers, who’ve been using it to create convincing spam emails under the guise of legitimate sources. Threat Thursday Mirus IT

In an example shared by KnowBe4, hackers were able to recreate Microsoft SharePoint’s automated file alert emails, including a convincing copy of the “Someone Shared a File With You” email. This, in turn, leads to a spoofed version of the SharePoint login website, where our unwitting victim enters their personal details for the hacker’s taking.

While Canva doesn’t have the file-hosting capabilities to store any malicious files that the hackers might later rely on, its role in these schemes demonstrates how even the most benign of online facilities can be exploited by hackers. KnowBe4’s Phishing Alert Button, an add-on for email services such as Outlook and Gmail, has so-far reported over 4,000 of these Canva-Created phishing emails. The true number, as KnowBe4 asserts, is likely much larger.


Historical Hackers Are the Latest Victims of Blackbaud Breach

Blackbaud’s data breach has come full circle, making an unfortunate victim of Bletchley Park Museum.

If you don’t quite know what makes our local pride so revered, Bletchley Park housed the Government Code and Cipher School Threat Thursday Mirus ITduring World War 2, and it was here that Alan Turing and his team cracked the Nazi’s Enigma Machine. This exceptional feat allowed the UK to successfully interpret coded Nazi communications, and is credited with shortening the war by as many as 2 years.

Bletchley Park has since confirmed that it had secured any data that may have been exposed – which, going by Blackbaud’s other affected clients, may have included names, addresses and other personally identifiable information. Debit and credit card details, however, are said not to have been affected.

Blackbaud, a cloud computing provider, was hacked in July this year, affecting numerous not-for-profit institutions and prestigious UK universities.  


Your Latest Amazon Delivery: Cryptocurrency Miners, Log Cleaning Tools and Backdoor Trojans


A cryptomining worm is currently wriggling its way through Amazon Web Services, the cloud-computing solution offered by the global tech and retail giant. Threat Thursday Mirus IT

The TeamTNT worm was discovered by Cado Security earlier this week and is reportedly the first of its kind. As well as having the capacity to steal AWS credentials – thanks to code ‘borrowed’ from the existing Kinsing worm – the TeamTNT worm starts cryptomining the Monero cryptocurrency, raking in a healthy sum for the attackers in the process.

Cado insists that this isn’t a sophisticated attack (though your humble Threat Thursday writer wouldn’t know it from their tech-heavy explanation) and suggests that AWS users delete all unnecessary AWS files from their systems, use firewalls to restrict access to Docker APIs, and regularly review network traffic and connections to help mitigate the risk.  

Iced, Iced, ID

Stop, collaborate and listen; IcedID is now back in commission.
The trojan, after years of development
Has this month returned - ever more arrogant.

And while I’d love to continue this rundown through the medium of Vanilla Ice’s sub-par lyrical techniques, I’ve got deadlines to meet.

IcedID, the banking trojan discovered back in 2017 by the boffins at IBM, has popped up a few times since its less-than-welcome debut, bringing a raft of evasive capabilities with each showing. Now, America-based Juniper Networks are warning of the trojan’s return, this time by leveraging password-protected, macro-laden and trojan-infested documents. As you may have guessed, these are typically distributed via phishing campaigns. Threat Thursday Mirus IT

According to Juniper, this latest campaign has at least two tricks up its sleeve: first, it targets the customers of already-compromised businesses while posing as that same business, taking advantage of the existing customer relationship; second, the password-protected documents stand a better chance of bypassing anti-malware measures, as the protections make them harder to unpack and scan for threats. They also note that the emails “…also use a DLL for the second stage downloader, which shows a new maturity level of this threat actor”.

And so far, the techniques appear to have worked, smuggling their way past Gmail’s filters and into the inbox of the unwitting victims. Once they open the password-protected file with the provided credentials, the document can start to deliver the payload, stealing financial information and login credentials for online banking sessions.

Let us once again repeat the Threat Thursday mantra of email attachments: check the sender, check the file, treat executables with extreme caution and if in doubt, delete. Here endeth the lesson; or, as a wise Vanilla Ice once enthused: “Word to your mother”.  


Enterprising Researcher Reveals the Reason Behind Emotet


And now, for some good news.

James Quinn, of Ohio-based cyber security firm Binary Defense, shared a revealing blog post this week, explaining how he and his team were the people behind Emotet’s 6-month hiatus earlier this year. Threat Thursday Mirus IT

Having reverse-engineered the software behind Emotet (“malware is software that can also have flaws”, James reminds us), James researched, developed and eventually deployed the Emotet ‘vaccine’ known as EmoCrash. Over numerous iterations and battles with the ever-evolving botnet, Emocrash was released to defenders on Feb 12 2020, with strict instructions not to share it publicly and risk compromising their efforts. This proved to be super effective, as right up until July, Botnet’s spamming activities were stopped dead in their tracks. It wasn’t until August the 6th, when Emotet updated and removed their vulnerable registry, that EmoCrash was effectively rendered useless. Boooo.

Anyway, the report is a truly awesome read, and if you don’t mind the odd technical tangent, it’s well worth checking out here.  

And that about wraps it up for this week. A few more nasties coming out the woodwork, than we’d like, but a glimmer of hope thanks to the efforts of people like Mr. Quinn.

Until thenwhy not sign up to our Threat Thursday newsletter?

We’ll be back the same time and place next week – or why not drop your email address in the box on the right➡️, and we’ll make sure you get the latest Threat Thursday updates in your inbox every week?


Would you like to comment, or leave your thoughts?

Recent Posts