Cybersecurity Alerts, News, and Tips

Monkeying Around for Office 365 Credentials

Criminals are abusing SurveyMonkey to host redirect links to an Office 365 phishing page, researchers at Abnormal Security have found. The emails contain links to a real SurveyMonkey page, but clicking the links will take the user to a spoofed Microsoft login page that asks them to enter their Office 365 email address and password.
“By using these legitimate services, attackers can bypass email URL detection systems deployed by many email security tools,” Abnormal Security says.
The attack is designed to fool humans as well, since the victim is clicking on what appears to be a legitimate URL.
“Since the URL isn’t visible within the body text, it is easy to miss at first glance,” the researchers write. “The first link redirects to a real survey monkey link, and then finally to the landing page of the phishing site….As these emails originated from the legitimate SurveyMonkey email address, and the body of the email contains a link to the real survey monkey domain, one would easily believe the email to be benign. However, it isn’t until the second redirect where the user is led to a phishing page that the attacker controls.”
Additionally, the researchers note that the phishing email prepares the user to believe they may be asked to enter their credentials to verify their identity.
“Because the email mentions that each survey link is unique to each recipient of the email, users may be primed to think that the login page is there to validate that their responses are from the legitimate recipient of the email,” the researchers say. “Thus, the behavior isn’t unexpected (even if it’s atypical – recipients should never enter their email credentials into a survey, regardless of which service is providing it).”
New-school security awareness training can teach your employees to be suspicious whenever they’re asked to enter their credentials, even if they initially think they’re on a legitimate site.

6000% Increase in Phishing Attacks Leveraging COVID-19, Healthcare Industry Often The Target

On July 3rd just before the holiday weekend, Mount Auburn Hospital’s IT team identified suspicious activity. Alarmed, they quickly took steps to disconnect the Cambridge hospital’s computer system from the internet. They switched from automatic backup procedures to manual ones.
No patient data was compromised, and the Harvard-affiliated hospital was able to continue its normal operations, according to hospital officials. Such attempted phishing attacks are a daily, if not an hourly, occurrence at hospitals all across America. The majority don’t always end as well as Mount Auburn’s did.
More than 80% of medical practices have been the victims of cyberattacks, according to a national survey. Over half reported patient safety concerns from the hacks, and 20% said that their business had been interrupted for more than five hours. “That can be the difference between life and death,” said Wendi Whitmore, a cybersecurity expert and vice president of IBM X-Force, a commercial security research team.
The situation has only gotten worse during the months-long coronavirus pandemic, as more employees switched to working from home, and medical facilities were cash-strapped and stretched thin because of COVID-19. Between March and April, IBM saw a 6,000% increase in spam attacks on information technology systems, leveraging COVID-19, many of them at health care facilities, Whitmore said, describing the situation as a continuous “cat and mouse” game between criminals and institutions. 
Whitmore said there’s been a huge increase in security incidents in recent months, climbing by as much as 75% in North America and 125% in Europe and the Middle East.
Seattle Children’s, for example, saw double the normal amount of attempted hacking attacks in March, specifically phishing emails, hunting for someone on the staff who would click on a malicious link and allow malware into the health system’s network, said Gary Gooden, chief information security officer at the Washington-based health system. The reason: Hackers can make a lot of money. Globally, cybercrime adds up to billions of dollars a year, Gooden said.
USA Today has the story.

BrandPost: Virtual Security Analysts – Using AI to Bridge the Cybersecurity Skills Gap

Perhaps the most resource-intensive task required of security teams is the correlation and analysis of the massive volumes of data being produced by security devices and network sensors. This challenge is probably most apparent in the fact that network breaches often remain undetected for months, allowing cybercriminals to plant time-bombs, establish elaborate botnets, and slowly exfiltrate millions of records containing customer information and intellectual property. This challenge is compounded with the growing skills shortage the cybersecurity industry is facing globally, further adding to organizations’ risks. In fact, a recent Fortinet survey found that 73% of organizations had at least one intrusion or breach over the past year that can be partially attributed to a gap in cybersecurity skillsTo read this article in full, please click here

Personal details and SSNs of 40,000 US citizens available for sale

Security experts at threat intelligence firm Cyble have identified a credible actor selling personal details of approximately 40,000 US citizens. Security experts at threat intelligence firm Cyble Experts have discovered the availability on the darkweb of personal details of approximately 40,000 US citizens along with their social security numbers (SSNs). The huge trove of data was discovered […]
The post Personal details and SSNs of 40,000 US citizens available for sale appeared first on Security Affairs.

Malware campaign attempts to evade analysis with Any.Run sandbox

Malware authors are implementing the capability to check if their malicious code is running in the Any.Run malware analysis service. Vxers are implementing the capability to check if their malware is running in the Any.Run interactive online malware sandbox to prevent them from being analyzed by experts. Every time malware is uploaded to the platform, […]
The post Malware campaign attempts to evade analysis with Any.Run sandbox appeared first on Security Affairs.

Ragnar Locker Ransomware Attacks Energy Company, Potentially Stealing 10TB in Data

In a letter to customers, EDP Renewables North America CEO acknowledges the attack occurred back in April of this year, but claims “no evidence” of data theft exists.
The ransomware “note” demanded approximately $10 million in Bitcoin. It also included a warning that over 10TB of information had been exfiltrated from encrypted systems, offering to decrypt some of the impacted files for free as a demonstration of their claim. EDP declined to pay the ransom and data has yet to be published.
This attack demonstrates a few things. First, it shows how pervasive ransomware can be. The attack started in the network of EDP Renewable’s parent company, Energias de Portugal in April, with their American subsidiary learning about the attack in early May. Second, it shows how integrated the idea of stealing data as part of a ransomware attack (whether actual or simply claimed) is becoming the norm. I’ve talked about the Maze “cartel” before – there are are plenty of ransomware gangs that partake in the “steal-and-publish” ransomware method. But, it appears, thus far, that in the case of the attack in EDP, it’s merely a statement meant to improve the chances of payment.
There is no detail on how many systems were impacted, but judging by the claim of 10TB, one would assume at least 10TB of data was encrypted, implying a number of critical systems were affected.
Avoiding this kind of attack is the only good advice I can offer; even if you don’t (and shouldn’t) pay the ransom, it will be days-to-weeks to see operations return to normal. Security Awareness Training is one of the most effective ways to stop user-targeted attacks. By educating the user on what to look for, avoiding malicious email and web content becomes second nature, stopping ransomware and other attacks before they even start.

Thanos Ransomware Attacks Now Disable Backups, Avoid Detection, and Impersonate the OS

Recent updates to the well-known Ransomware-as-a-Service – including the addition of RIPlace – make Thanos a formidable challenge for even well-secured organizations.
I’ve said it before and I’ll say it again: the bad guys operate just like the good guys. Cybercriminal organizations are just businesses with an evil go-to-market plan. And as such, they evolve and improve their software to have better features, to improve performance, and to produce a consistent and predictable result.
Recent developments to Thanos documented by security researchers at Sentinel Labs demonstrate this point exactly. Some of the improvements to Thanos include:
RIPlace technique for avoiding detection
Encryption speed enhancements
Disabling of 3rd party backup solutions
Ability to impersonate Windows SYSTEM via process hollowing
FTP-based reporting
And this is just a fraction of the improvements seen in Thanos over the last 3 months!
Organizations need to realize ransomware (in general) isn’t just encryption software; Thanos demonstrates the effort put into ensuring each step of an attack – from delivery, to installation, to lateral movement, to encryption – is successful. Add to this the fact that Thanos is Ransomware-as-a-Service – it’s available to any person that wants to start their own Ransomware “business”, multiplying the frequency and distribution of this malware.
From the looks of the improvements, once it’s installed, it’s going to see plenty of successes. So, organizations need to take steps to stop it before it starts; and that begins with the user not engaging with phishing emails. And that requires continual Security Awareness Training to both teach and reinforce the need to always be mindful about suspicious content when interacting with email and the web.

Vishing Attacks Yield Phone Fraud Take of Over $100 Million

While not a new tactic, vishing presents cybercriminals with an attack method that’s perfectly aligned with the pandemic shifts to remote workforces.
I’ve talked about vishing attacks previously, as we’ve seen them as a precursor to phishing attacks as well as standalone attacks intent on stealing information from the victim on the other end of the call.
According to the FBI, there were 114K reported victims of phishing/vishing/smishing attacks in 2019 that incurred a total loss of over $57 million. And according to the Federal Trade Commission, 2020 has seen over 128,000 phone-based fraud scams that cost victims a whopping $108 Million.
With organizations running some or all of their workforce remotely, the taking of phone calls on personal devices, and getting calls from numbers that would normally be identified by an internal digital phone system gives scammers an opportunity to leverage phone calls as yet another medium by which fraud can take place.
The only way to protect against these phone-based attacks is effective Security Awareness Training that educates employees on these tactics, and why it’s critical now, more than ever, for them to have their guard up, wary of any unsolicited phone call, no matter how good the story sounds coming from the other end.