Maybe it’s to do with the run up to Christmas, but we’re seeing fewer threats to businesses and more to individuals in this week’s Threat Thursday.
A wealth of phishing schemes, trojans and data breaches are targeting such broad demographics as Windows users, Android users and Disney fans – all of whom are likely days away from Christmas shopping sprees. More reason not to trust everything you see online…
Who Believes Your Password Offers Poor Security? M-i-c-k-e-y, M-o-u-s-e!
Only one week after the launch of their streaming service, Disney+ is facing accusations of poor security as thousands of irate customers have already had their accounts compromised, their passwords changed and their lives well and truly devoid of the inimitable Disney magic.
A spokesperson for Disney, however, says it’s unlikely to be a cyber attack: “Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+.”, they claimed. “These incidents most likely occurred as a result of an unauthorized individual re-using a customer’s email/password combination, gathered during previous security incidents impacting other companies. ”
The response isn’t especially reassuring, but it’s probably not far from the truth either. A streaming service such as Disney has undoubtedly got an audience of millions, many of whom have not only had passwords compromised but are reusing those same passwords day in, day out. It stands to reason that hackers were chomping at the bit for those people to sign up to this long awaited-service and right into their grubby hands. It may come as no surprise that certain subscription details are already appearing on the Dark Web for as little as £3.
While it’s unlikely that our hapless streamers will take this response with A Spoonful of Sugar, Disney+ certainly presents hackers with A Whole New World of opportunities. Knowing how many Disney fans there are, and just how many of them are likely to reuse passwords, it’s understandable that hackers want to be Part of That World. Maybe if the victims practiced The Bear Necessities of cyber security, then those Poor Unfortunate Souls would be able to log on to their streaming services with no worries for the rest of their days.
It’s a problem-free philosophy. Hakuna Matata.
VMWare Fixes Five Security Vulnerabilities in Its Latest Patch
In case you’ve forgotten between now and the headline you read five seconds ago, a crucial update for VMWare is now available which fixes all manner of security vulnerabilities, including memory leaks, DDoS exploits and or Remote Code Executions. The vulnerabilities effect VMWare Workstation Pro, VMWare Workstation Player, VMWare Fusion and VMWare Fusion Pro.
Patches for all these vulnerabilities are now available, but do note that one of the exploits, CVE-2018-12207, is not enabled by default once the patch is downloaded. This was a deliberate move by VMWare to avoid potential performance issues, but can be enabled by following the cloud service provider’s instructions here.
These Are Not the Androids You’re Looking For
The launch of some of latest Android smart phones is introducing 146 new security flaws – a number that top mathematical scientists, we believe, refer to as ‘whopping’.
Mobile security specialists Kryptowire uncovered the CVEs (common Vulnerabilities and Exposures) in devices from almost 30 smartphone manufacturers. Unfortunately, these CVEs aren’t simply an issue with the latest versions of Android – the culprits are more often the result of manufacturer-specific software, preloaded onto the device and not typically removable at the behest of the user. It’s these unrequested apps – commonly referred to as ‘bloatware’ – that are introducing the issues.
As a result, patching these vulnerabilities isn’t the responsibility of Android programmers; it falls to the individual manufacturers, and their software engineers, to isolate the vulnerabilities and patch them in their latest app updates. That’s 146 vulnerabilities we’re relying on almost 30 different manufacturers to fix independently.
And this, folks, is why security software for your Android devices is a must. Android, as an open-source OS, arguably offers more flexibility than an Apple device - but it makes it more prone to vulnerabilities too.
‘Windows Update’ Delivered Via Email Goes About as Well as You’d Expect
If you’ve received an email which supposedly contains a “critical Windows update”, don’t open it.
Microsoft have never updated their operating system via mass email, and Ransomware such as ‘Cyborg’ is exactly the reason why. Often delivered via emails with such tantalising subject lines as “Critical Microsoft Windows Update!” and “Install Latest Microsoft Windows Update Now!”, Cyborg is a file attachment which, when opened, encrypts a computer’s files, extorts its victims, and quite possibly makes unflattering remarks about their mothers.
The discovery, made by the folks at Trustwave, led them down a veritable Ransomware rabbit hole. In searching for the offending file on VirusTotal, they discovered a Github repository housing the original file (under the incredibly helpful name of Cyborg-Ransomware) and a link to the malware’s builder. This suggests that variants of the Cyborg Ransomware can be created and subsequently improved upon.
The good news is that the email campaign seems to have slowed down, with fewer reports of its spread being made. The bad news is that when it does return, it may do so with a whole new identity and a host of new capabilities.
The takeaway from all this? Don’t download any unrecognised files, don’t trust any emails with unexpected file attachments, and Windows updates will only be delivered via your Windows operating system.
Pheeding Phrenzy! Phishing Campaign Moves Up the Food Chain for Office 365 Scam
How appropriate that a campaign named after our aquatic acquaintances would soon mimic their behaviour. A new phishing campaign is gobbling up legitimate Office 365 accounts, then using these to gobble up the credentials of further victims.
Using previously phished or stolen credentials, the phishers can enter a compromised Office 365 account with full administrative privileges. With these privileges, they can create a whole new account from which to send further phishing emails. The scheme itself is admittedly rather clever; no existing email addresses on the account are affected, so legitimate users on the compromised account experience no suspicious activity. At the same time, coming from a legitimate Office 365 account gives the emails an air of authenticity. This makes them more likely to pass the security solutions of the next victims in the chain.
Office 365 admins will want to be aware of emails containing such lures in their subject lines as “We placed a hold on your account” and “Action required!”. These are the phishing emails that supposedly kick-started the scheme and send victims to a false login page, which hoovers up any login details that are entered.
It's been a busy week this week, and we have a feeling that as more people turn to the internet to do their Christmas shopping, more phishers will be waiting in the shadows to pounce on the security-averse.
Don’t give them the satisfaction – subscribe to Threat Thursday for the latest cyber threats, directly into your inbox, every week.
If you'd like some help, we offer FREE Cyber Security Health Checks for businesses, so if your security is up for review, get in touch for impartial advice that won’t cost a thing.