A new phishing scam uses car insurance savings as to lure its victims, a report by Sophos shows that small businesses are being targeted by cybercriminals at an increasing rate. Okta says that data claiming to be from hacking them is not their customer data. These stories and more…
Welcome to Cybersecurity Today for Wednesday March 13th, 2024. I’m your host Jim Love, filling in for Howard Solomon.
A new phishing scam targets savings on car insurance and it’s apparently working well.
We all talk about the increasing sophistication of phishing scams, but sometimes in life it’s the simple things that work best, and this apparently applies to phishing.
A new phishing campaign uncovered by experts from Cofense has threat actors impersonating a car insurance company. The email is short and to the point and doesn’t distribute anything malicious. In some cases its even carried by a Google Ad link. This explains how it gets by secure gateways and filters.
In the email, victims are told that they are eligible for a credit of up to 10% of the value of the latest value of their car.
To learn more, they are given a link to a website that was once legitimate but was recently compromised and repurposed for this attack. The site has “downloadable instructions” on how to claim their funds, but what is downloaded is a JavaScript that will deploys the NetSupport Remote Access Trojan or RAT.
NetSupport is actually a genuine application designed for remote access by support technicians and has been in use for 20 years or more, but in this altered version, it gives the attacker unauthorized access to the user’s device.
It’s a reminder corporate users need to be trained that any offer, no matter how seemingly innocuous, cannot be responded to on a corporate device even if that offer comes by what is regarded as a legitimate channel, such as a Google ad.
Link to the full story from TechRadar.
Over three-quarters of cyber incidents hit small businesses in 2023, with ransomware having the biggest impact. This is according to a new report from Sophos. As the Sophos report points out, these businesses, with under 500 employees make up almost 90% of the world’s business and account for 50% of employment world-wide. But they have fewer resources to effectively protect themselves versus larger enterprises, making them much easier targets.
One of the key attacks on these SMBs last year was ransomware.
The LockBit group was most active and they made up the highest number of small business ransomware incidents handled by Sophos at 27% of incidents but there were other groups involved including Akira 15%, BlackCat 13% and Play at 10%
The notorious LockBit group made up the highest number of small business ransomware incidents handled by Sophos Incident Response last year, at 27.59%.
The report also talked about some of the new tactics including the increased use of remote encryption, where attackers were using unmanaged devices to encrypt files on other systems in the client network.
They also note that ransomware attackers are building malware which targets macOS and Linux operating systems. Sophos researchers have seen leaked versions of LockBit ransomware targeting macOS on Apple’s own processor and Linux on multiple hardware platforms.
90% of the attacks reported by Sophos involve data or credential theft. Close ot half of all malware targeting SMBs last year involved data theft from password stealers, keyboard loggers and other spyware.
The most prominent stealers include RedLine (8.71%), Raccoon Stealer (8.52%), Grandoreiro (8.17%) and Discord Token Stealer (8.12%).
Christopher Budd, director of Sophos X-Ops research at Sophos, commented: “The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation.”
The report also talked about a rise in malware-as-a-service operators spread by web advertising and SEO poisoning. SEO
The report highlighted a rise in malware-as-a-service (MaaS) operators using malicious web advertising and search engine optimization (SEO) poisoning to infect victims.
SEO poisoning uses legitimate services to increase the searchability and prominence of websites on search engines such as Google and Bing ads. This gives them an illusion of authenticity. These fake websites can use legitimate company’s branding to fool victims into downloading software.
But using email in what are termed Business Email Compromises or BEC are still extremely popular and as an attack vector, second only to ransomware. But the BEC attacks are extremely creative and attackers may have several contacts and even engage in conversations before they send malicious links.
As well as being creative in their approach, attackers are experimenting with various ways to evade security detection tools, high messages in images, using QR codes, fake invoices – but the all-time favourite is still the humble compromised PDF file.
Attackers moved to PDF file attachments “almost exclusively” last year, the report found. These primarily link to malicious scripts or sites, and sometimes used embedded QR codes.
A link to the full Sophos report is included in the show notes.
Researchers have created a knowledgebase to share information on misconfiguration of Microsoft’s Configuration Manager or SCCM or MCM.
The repository shares both attack and defence techniques and ways to avoid improper setup of Microsoft’s Configuration manager which attacker can exploit.
Configuration Manager that used to be known as System Center Configuration Manager has been around since 1994 and is present in many Active Directory environments. It’s used to help administrators manage servers and workstations in a Windows network.
It’s also been highly studied as, particularly if misconfigured, it is an effective way for attackers to gain admin privileges on a Windows domain.
SpecterOps researchers Chris Thompson and Duane Michael announced the release of Misconfiguration Manager at the SO-CON security conference. MCM or SCCM, whatever acronym you use, is not easy to set up and the default configurations have lots of ways that attackers can mount exploits.
Because of the difficulty in setting up MCM, one of the most frequent issues is the creation of network access accounts or NAA’s with too many privileges. The researcher’s noted that “it’s overwhelming to configure, and a novice or unknowing administrator may choose to use the same privileged account for all of the things.”
The researchers also demonstrated a series of use cases from using a Sharepoint account of a standard user and turning that into a domain controller and how they were able to get into the central administration site and give themselves full administrator access.
The repository currently has descriptions of 22 different techniques that can be used to attack MCM/SCCM or to use it in “post-exploitation” activities. There’s a link in the show notes for those who want to check it out.
Link to Misconfiguration Manager
And identity management company Okta has said that data leaked on a hacking forum is not theirs.
For those who might not know the Okta is a San-Francisco-based cloud identity and access management solution provider. They provide solutions for Single-Sign-On, multifactor authentication and API access management.
In October of last year Okta’s support systems were breached by hackers using stolen credentials. It may not have been as big as SolarWinds, but it was not only embarrassing but it the attack did impact all customers on Okta’s support systems.
And there was an impact. One breach that made the news was the compromise of one of Cloudflare’s self-hosted Atlassian servers, which had hackers employing access tokens stolen during the Okta breach.
Now, as the company has attempted to repair the damage done to customers and reputation, a group of hackers has leaked data files they claim are from the Okta attack. The cybercriminal who uses the alias Ddarknotevil released what they claimed was information on 3,800 customers that were stolen during last year’s breach.
The leaded data looked authentic and included IDs, names, company names, addresses, phone numbers, email addresses, titles and more.
But Okta told Bleeping Computer, who broke the story, that this is not their data. They said that they had conducted a rigorous investigation and determined that “this is not Okta’s data, and it is not associated with the October 2023 security incident,” Further, they stated, “We cannot determine the source of this data or its accuracy, but we noted that some fields have dates from over ten years ago. We suspect that this information may be aggregated from public information sources on the Internet.”
Full story in Bleeping Computer
And that’s it for this episode of Cybersecurity Today. As always, links to stories and other information will be included in the show notes posted at itworldcanada.com/podcasts. Look for Cybersecurity Today
And we always love to hear our listeners, even if it is to correct us. If you have comments, please send me a note at [email protected] or under the show notes at itworldcanada.com/podcasts
And if you want to catch up on other tech news, check out my daily news podcast Hashtag Trending which you can find in all the same places you find Cybersecurity Today – Apple, Google, Spotify or at itworldcanada.com/podcasts.
I’m your host Jim Love, filling in for Howard Solomon. Stay safe.