Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
On the 11th February secure email provider VFEmail, alerted users via its website, that a catastrophic outage had occurred to its email service, after a hacker had gained unauthorised access and launched a destructive attack against their systems.This malicious attack has resulted in complete wiping of the VFEmail primary servers and their associated backup systems. The owner of the service posted to his twitter feed that this may be the end of VFEmail.The website alert reads:
“!!!ALERT!!!! Update Feb 11 2019www.vfemail.net and mail.vfemail.net are currently unavailable in their prior form. We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”
Wow can’t believe we are in the middle of February already (tempus fugit), so it’s that time of the month again for Microsoft’s security updates.February 2019’s Patch Tuesday has included approx. 70 vulnerabilities across numerous MS products. Of those listed, 20 of these flaws have been rated as Critical with the ability to fully compromise the vulnerable system. In addition, more than 45 vulns are considered Important, with 3 rated Moderate and 1 rated Low severity.Vulnerable products impacted include the ever-present Chakra scripting engine, MS Edge and Internet Explorer browsers, MS Exchange, and SharePoint 2010.
A new variant of the notorious Emotet trojan has emerged over the last month that is using techniques to try and evade Anti-virus programs.Emotet has been around for some time, but new variants of the malware are being created on what seems a regular basis. It uses spam email to infect its targets, before stealing personal and financial information, in order to gain access to bank accounts and cryptocurrency wallets.The malicious payloads delivered by Emotet have varied over time, but this new variant commonly uses XML files, opened using Word that contain Base64 encoded data to hide the malicious macro that launches the infection. Using the XML files with Base64 data means that standard signature-based anti-virus engines will typically not detect this kind of malicious macro-enabled document.Once launched the macro spawns multiple processes, calling PowerShell scripts that download the Emotet payload to the victim’s device. Once received Emotet calls out to several URL’s which is believed to be the attackers Command & Control (C2) infrastructure, to gain control of the host and steal information.Next-Generation Endpoint Security such as AMP for Endpoints can help protect against these kinds of advanced threats, where standard Anti-virus products fail.
Customers of the Network Attached Storage vendor QNAP have been reporting strange activities that have been preventing system updates on their devices.Investigation into the problem has identified that a malware infection has hijacked QNAP NAS devices, forcing a change to the hosts file on the machine.The unix hosts file ‘/etc/hosts/’ is used to statically define host or domain name mappings to an IP address, and depending upon the devices configuration can be used to override DNS queries.By high jacking the device and changing these hosts file entries the malicious actor can control where traffic is sent to.
If you are looking for Love over this Valentine weekend, and you are using the OkCupid Dating App, then be aware that a vulnerability in the app could expose your personal information, steal your login details and result in complete takeover of the app by the attacker.The flaw is present in the OkCupid’s Android application which uses WebView (a bundled browser inside the mobile application) to open what it calls MagicLinks from the app.An attacker can simply send a crafted URL to a victim from within the app, that when clicked allows the attacker to take control of the app, read all the victims messages, monitor usage, impersonate the victim and even track the victim’s location.Because these links are sent from within the app, users tend to trust that they are legitimate, clicking them without much thought.Due to the nature of the app takeover it is also possible for a malicious actor to spread malware after the first victim is infected, using the apps contact list.An update for this app is available, so please update as soon as possible.Dating and Sextortion scams are all too common these days, so if you are using these types of apps, please ensure that you stay safe and vigilant, and always remember to update your apps regularly.
And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.
Ironshare – Security SimplifiedEdition #29 – 15th February 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
