Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
The Kaspersky Labs news blog has highlighted a new phishingscam that it is targeting highly popular Instagram accounts.
Attackers have launched a phishing campaign that is sending CopyrightInfringement emails to users, in an attempt to get them to hand over theiraccount login details, so they can take over their accounts.
The content of the email is pretty convincing, althoughanyone checking the links etc. will be able to identify that it is indeed fake.
The message contained in the email tries to scare the victim,by claiming that due to violating copyright laws, their account is being disabledand that they have 24 hours before the account is deleted.
Clicking the link in the email redirects the user to anInstagram phishing site, that pretends to give the option of Appealing the decision.
If you decide to appeal and click the link, the site thenasks to verify your Instagram account by logging in with your credentials,which is where the fraudsters capture and steal your username and password.
After losing your credentials, they seal the deal by givingyou a nice message before redirecting you to the real Instagram page.
Social media account hacks are common place in cyber crimeand misinformation campaigns that deliver fake news.
Being aware of these types of attacks will help you to spotmalicious emails and protect both yourself and your personal data.
Awareness alone is not enough though, remember:
Back in 2014, security researchers came across a new threatin the wild they dubbed Emotet.
Emotet started out its life as a banking trojan, that infectedtarget machines with a goal of silently stealing sensitive personal and financialinformation from its victims.
Almost five years on from this initial find, Emotet hasbecome one of the most active, costly and destructive malware families in the worldtoday.
Emotet is known as a ‘Trojan Virus’, and like the Trojan Horsein Greek history, it appears to be one thing on the surface while inside it’s somethingvery different. The trojans job is to first infect a target system by evading itssecurity defences, before unleashing the more malicious hidden payload it iscarrying inside.
One of the attractions for cyber criminals is itspolymorphic behaviour, that gives Emotet the ability to change itself every timea version of the malware is downloaded. This is one of its methods that is usedto evade detection by signature based Anti-Virus and Intrusion Preventionproducts.
Today, Emotet has evolved into far more than just a standardbanking trojan.
Recorded Future has this week released its annual report on the Top 10 vulnerabilities of 2018.
The report highlights that for the second year in a row, Microsofthave come out on top, as the most exploited software, with Office and Internet Exploder,(oops, Explorer), appearing in 8 of the top 10 vulnerabilities listed.
Recorded Future’s analysis focused on exploit kits, phishingattacks, or remote access trojans that coincide with a vulnerability, and occurredbetween 1 January 2018 and 31 December 2018. Their analysis was based onthousands of sources, including code repositories, deep web forum postings, anddark web sites.
The remaining 2 spots were taken by Adobe Flash Player, inthe form of exploit kits and ransomware, and Google’s Android OS, targeted by theremote access trojan AndroRAT.
One vulnerability CVE-2016-0189, has made the list for threeyears in a row. This vuln exists in Internet Explorer versions 9 to 11 and hasbeen targeted by numerous exploit kits during that time. The reason for itspersistent presence is due to a lack of full mitigation, and although therehave been security updates from Microsoft related to this CVE, the only workaroundappears to be controlling access to the Jscript and Vbscript DLL files.
What this report really highlights is that there are still toomany devices out there that are not being kept up to date with the latestsecurity patches. It’s not just operating systems (like MS Windows) thatrequire regular security updates; applications, network devices and IOT devicesshould also form part of any regular patching activities.
If you’re a home user the best option is to ensure that alldevices, PC’s, mobiles and tablets etc. are all set to update themselves automatically,as new versions become available.
A full copy of the report can be viewed here: https://go.recordedfuture.com/hubfs/reports/cta-2019-0319.pdf
The Cisco Talos Intelligence team have released anotherexcellent blog post which details the investigation into a destructive Ransomwarevariant known as LockerGoga.
Like other Ransomware variants LockerGoga, encrypts the contentsof the victim’s machine, preventing access to the data and holding it toransom. The attackers typically request payment via a crypto currency such asBitcoin from the victim, before they release the decryption keys providingaccess to the data once more.
Certain versions of LockerGoga have been seen to logout users, preventing them from logging back in, leaving them with no means to access the system or decrypt the files, indicating a more destructive nature.
Initial infection is not currently known, but unlike otherversions of ransomware the ransom note that is left on the machine does not includepayment instructions, but instead just leaves details for contact theattackers.
This threat is still being monitored and analysed by Talos,so we can expect more information to follow as it becomes available.
As usual with these types of posts from Talos this is an in-depthtechnical write up so is not for everyone, but if you’re into your malware analysisdetails, then head on over to the Talos blog to read more.
And that’s it for this week, please don’t forget to tune in forour next instalment.
Why not follow us on social media using the links providedon the right.
Edition #34 – 22nd March 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
