Welcome back to Threat Thursday!
It’s less than a week until Christmas and a short hiatus for the Threat Thursday blog. Yet an early, pre-2020 retirement simply isn’t on the cards for our nation’s Cyber Criminals, who continue to up their game this week.
Maze Ransomware Leaves Victims Feeling Lost
Having seemingly learned from Ryuk’s embarrassing blunder last week, the developers of the Maze Ransomware are hedging their bets and creating an all-new way to ensure payment from victims: naming, shaming and leaking their info.
In a move so crudely effective we’re amazed it hasn’t been done before – or at least more frequently – the creators of Maze are threatening anyone infected with their Malware with a full online leak of their stolen credentials. That’s one way of ensuring your victims cough up the goods.
True to their word, Maze’s own victim’s gallery already hosts eight of their latest targets. The website insists that confidential databases and other sensitive documents are soon to be revealed, so while the authenticity of these claims remains very much in question, the proof could very well be coming soon.
It’s a dirty trick, adding an extra extortionate angle to the Ransomware process. While it’s still advisable never to pay the ransom on these sorts of attacks, this added threat does make defiance that little bit more nerve-wracking. If anything, it illustrates the need not only for protection from rogue sites and dodgy emails, but in familiarising yourself with the tell-tale signs of scams and phishing emails.
Roosters Don’t Have Teeth, But the Threat of MageCart Certainly Does
Media content company Rooster Teeth is the latest victim of the MageCart consortium – a dastardly deck of data-diving payment-pinchers who compromise websites typically running the Magento e-payment system. Their Supply Chain Attacks scan the payment information of a website’s customers as a payment goes through, for reasons that are probably very obvious.
While Rooster Teeth managed to remove the threat from the site – and not all its paid services were affected – the owners have nonetheless informed a small number of potential victims and offered Experian credit monitoring services as recompense to those affected. A breach notification on the Rooster Teeth site reads:
“On December 2, 2019, Rooster Teeth discovered that malicious code had been added to the site earlier the same day. The malicious code directed users entering a checkout on the site to a spoofed web page where they were asked to enter payment card details in order to complete their purchases. This was inserted after the stage at which users entered their shipping data. Users who completed the payment card details page were then directed to the real web page, where they were asked to complete the forms again. We removed the malicious code from the site and took other steps to secure the site against further unauthorized access.”
This recent attack is a slight deviation, however; this time, MageCart leveraged Rooster Teeth’s less-secure pages to redirect users to a credential-stealing webpage, rather than scanning card details at the point of purchase. If anything, this demonstrates that while MageCart’s intentions never change, their tactics continue to evolve and expand. If you’re an ecommerce business, be sure to check your payment pages for any discrepancies and regularly review their security setups.
Merry Christmas, From All Your Friends at Emotet!
Ah, jolly good. Emotet, one of Webroot’s top three worst malware of 2019, isn’t letting Christmas slip by un-merried. In a cynical yet no less expected assault on holiday cheer, Emotet abusers are slipping their malware into phishing emails, with subject headers alluding to an ambiguous ‘Christmas Party 2019’. It’s likely that these headers are targeting the office working crowd, whose infamous Christmas party exploits have sullied stationery cupboards and contravened acceptable photocopier use since time immemorial.
The email itself contains a Microsoft Word document, typically named ‘Christmas Party.doc’, which opens in Protected View and asks the reader to ‘enable editing’ to be able to read. Doing so actually enables an embedded macro which, upon execution, unleashes the Emotet trojan into the Windows operating system. In a delightful touch, the email even reminds users to wear their ugliest Christmas sweater to the so-called party – which is just another layer of cruelty, frankly. The scheme was uncovered by Confese Labs’ Twitter account, and you can see an example of one of these delightful emails here.
It’s a well-timed malware campaign and a surprisingly effective one too, with a human element giving it an extra injection of authenticity. Try not to be fooled; check the sender’s details, and even if it seems trustworthy, check that the address hasn’t been spoofed by scanning diligently for spelling errors. Don’t open any unexpected attachments and, most importantly, don’t wear Christmas sweaters. Seriously, they’re the worst.
Wordpress Vulnerability Gives Hackers Access To… *Checks List*…..Everything
It’s been reported that two WordPress plugins from the same developer suffer the same critical vulnerability – and it’s a big ‘un.
Ultimate Addons for Elementor and Ultimate Addons for Beaver Builder, by developer Brainstorm Force, are both designed to add extensive functions to the two eponymous web design tools. Sadly, an exploit in both add-ons could give hackers full administrative access to any websites running them – giving the attacker free reign to add, edit or remove crucial website data on a whim.
Security plugin provider WebARX has confirmed that this vulnerability is already being exploited in the wild, but the true extent of these attacks is yet to be revealed. With the earliest recorded incident dated the 10th December, it’s likely there’s plenty more waiting to let themselves known.
Probably best not to be among them; if your site currently uses either tool, now’s the time for web admins to update to the latest version; simply click ‘update’ from within the Wordpress dashboard.
But it’s not all bad news… BlueKeep Scanner Hunts Down Common Windows Vulnerability
The BlueKeep vulnerability for Windows Remote Desktop caused something of a panic when it was first discovered in May this year. This vulnerability was present in most versions of Windows from 2000 up to Windows 7 and allowed for Remote Code Executions to be carried out should hackers gain access to the Remote Desktop session. While the vulnerability was quickly patched, that didn’t stop BlueKeep’s bigger, scarier older brother, the ingeniously-titled DejaBlue, from popping up in newer version of Windows including 7 and 10.
Well, the kind folks at ESET have created a free-to-download app that scans and detects any computers for lingering BlueKeep exploits. With tens of thousands of computers still thought to be under threat from this exploit, it’s nice to see a diagnostic tool like this being given away for nothing at all. You can download it here.
Thus concludes the last Threat Thursday of 2019! Stay safe, have a Merry Christmas and here’s to a prosperous New Year to one and all!