What's new this month in the news for MSPs? Cofense's Q1 Phishing Intelligence report shows a 527% increase in credential phishing; Magecart malware is hitting e-commerce sites again; and more.
Let's see what it's all about.
Cofense's Q1 Phishing Intelligence Report Shows 527% Increase in Credential Phishing
The Q1 Phishing Intelligence report from Cofense Inc. reveals a staggering increase of 527% in credential phishing during the first quarter of 2023 and increases overall in active threats. Cofense described the change as "volatile," and the Q1 Phishing Intelligence report from Cofense Increport also noted that the year-to-year increases were more moderate, even though they were still a 40% hike from the same quarter in 2022.
Emotet led as the most prevalent malware family active during the quarter, and the report opined that this is likely tied to the sheer volume of email campaigns it sends out.
Following Emotet were Agent Tesla keylogger and FormBook as the most-used forms of malware, in that order. Additionally, the report noted that the use of keyloggers had a staggering increase in usage of 38%, more than any other malware type.
An increase in malicious campaigns abusing Telegram Messenger bots stood out in the report. During the first quarter, it was noted that there was an increase of nearly five times in the use of Telegram bots as compared to the past quarter. Additionally, it surpassed the total volume of Telegram bot use for 2022 by a factor of four.
Another standout from the first quarter report came in how victims are targeted. Analysts noted a massive change in leading malware delivery systems. The most popular delivery systems were OneNote files coupled with OLE packages and WSF downloaders bundled with the file.
Analysts note that OneNote files are a popular file delivery method replacing longstanding Microsoft Office macros. As indicated in CVE-2017-11882, the use of the Microsoft Equation editor vulnerability detected in 2017 also spiked in the first quarter, as it is used extensively by Emotet in its campaigns.
Magecart Malware Is Hitting E-Commerce Sites Again
One of the more common tools used by threat actors targeting e-commerce websites is the shopping cart malware called Magecart. Although many have tried to eradicate and mitigate Magecart, this persistent threat still lurks around the internet.
Security analysts first spotted the malware in 2018 as the malware related to the Ticketmaster UK exploit, and threat actors are still using it in current attacks.
The malware is used to steal credit card information that is later sold to cybercriminals in bulk across the dark web. It takes its name from Magento, an open-source shopping cart application. Hackers will replace the code in the genuine cart software with Magecart code or gain control of abandoned GitHub projects that are then shared across the internet.
Experts say that Magecart is an excellent example of the challenges behind keeping vigilant against cyber threats. Most e-commerce storefronts rely on a dozen or so bits of code that include databases, advertising servers, back office systems, and a shopping cart system typically used to collect customer payments.
Since shopping carts are commonly the weakest part of any e-commerce site, cybercriminals typically target them as easy prey. Besides, finding the many IOCs used by these shopping carts is challenging.
The cybercriminals behind Magecart use what is commonly known as bulletproof hosting providers, which means law enforcement can't easily terminate their accounts after identifying them. Moreover, criminal gangs known as skimmers employ threat actors who help them collect credit card information from compromised ATMs internationally.
More recently, the malware infected the WooCommerce WordPress plugin and affected websites around the world. Aside from WooCommerce, Magecart has affected the Google Tag manager and has launched a bunch of new attack modes, according to MalwareBytes.
To help protect their e-commerce sites, businesses should scan the code of all third-party plugins for changes and ensure that suppliers also track these changes. Any such code should also be audited frequently to keep it malware-free.
New Cactus Ransomware Has a Unique Twist
Security analysts report that a new ransomware group is making waves and targeting vulnerabilities in VPN hardware with a unique twist. To avoid detection, the ransomware encrypts itself.
Kroll LLC security researchers discovered the ransomware, which they have named Cactus, and say it was first spotted in March. It explicitly targets VPN hardware from Fortinet Inc.
After running the typical ransomware routine, such as spreading itself throughout the network, encrypting and stealing files along its path, it begins its unique obfuscation method, which spectators say is very interesting.
More details are becoming available as researchers examine Cactus ransomware. Bleeping Computer reported that the ransomware is using encryption to protect its ransomware binary. The threat actors behind Cactus also use a batch script that accesses the encryptor binary with 7-Zip, thus protecting it from detection by antivirus programs and other security tools.
So far, Cactus has not set up a leak site. The ransom note instructs victims to contact them via either email or a backup chat service to prevent the information from getting leaked and to recover the stolen data.
Cisa Adds Linux Vulnerabilities to Its Catalog With Warnings
Seven Linux-related vulnerabilities were added to the US Cybersecurity and Infrastructure Agency's catalog with the warning that they are being actively exploited.
These vulnerabilities pose a significant risk to federal enterprises and are described as prevalent attack vectors used by malicious cyber actors.
Added Linux Vulnerabilities
Although these vulnerabilities are new to CISA's database, they are a mix of old and new CVEs, with one going back to 2010.
- CVE-2023-25717 - Vulnerability in multiple Ruckus wireless products cross-site forgery request and RCE
- CVE-2021-3560 - Vulnerability in Red Hat Polkit incorrect authorization
- CVE-2014-0196 - Race condition of Linux kernel vulnerability
- CVE-2010-3904 - Improper input validation for Linux kernel vulnerability
- CVE-2015-5317 - Jenkins UI information disclosure vulnerability
- CVE-2016-3427 - Unspecified Oracle Java SE and JRockit vulnerability
- CVE-2016-8735 - Vulnerability in Apache Tomcat RCE
These were added to CISA's Known Exploited Vulnerabilities catalog, referred to as a "living list" of known common vulnerabilities and exposures that carry significant risks to federal enterprises.
CISA recommends that all organizations take steps to reduce their exposure to cyberattacks, such as prioritizing timely remediation of all vulnerabilities listed in the catalog.
Bud Broomhead, Chief Executive at Viakoo Inc., says the seven vulnerabilities added focus on open-source software components and the recent inclusion of 15 vulnerabilities related to industrial control systems that are much more challenging to remediate than traditional IT vulnerabilities.
It is imperative to have complete visibility into all digitally connected assets, their software components, and how they can be remediated and restored back to full operation.
Infostealer-Class Malware Is Evolving to Become More Dangerous
Infostealers are a malware class that security researchers say is morphing into a more insidious threat.
According to security researchers, these menacing threats are well known for their ability to steal sensitive personal information from a target's computer, including browser cookies, login information, saved debit and credit cards, or other financial data.
SiliconAngle has shared details on the role of infostealers in ransomware and other cyberattacks. These reports more recently included Eventbot in April 2020, and LockBit and Stealc in February 2023.
Cybercriminals continue developing and improving this malware class; recently, new reports have documented current updates.
Yael Kishon from the KELA Cybercrime Prevention research group says cybercriminals are working intently to develop and sell new data stealers on botnet marketplaces. They list them at very affordable prices, making them more appealing to a broader customer base.
New versions of infostealers continue to arrive and depart from the marketplace as some cybercriminals land behind bars; this makes it very chaotic. The Ukrainian developer of the Raccoon Stealer, who disappeared after being arrested, is one example and facing criminal charges. Yet, after a few months, an updated version appeared.
Infostealers are typically a foundation for other cybercriminals launching campaigns that deploy ransomware with data extortion components that require credentials such as stolen logins. This class of malware has grown over time to integrate better with more malware resources that can analyze the swiped data and arrange it for explicit targets.
Some malware versions offer subscription service pricing similar to other SaaS products with tier pricing models for specific features, such as obfuscation and traffic analysis. It's frequently called “malware as a service” under this scenario.
One alarming trend is state-sponsored malware groups embracing infostealers for cyber espionage campaigns. Russian groups, for example, have deployed the Graphiron stealer against Ukrainian targets, and Chinese groups have used them against many enemies throughout Asia.
Security researchers say that information stealers are becoming more sophisticated, which makes them challenging to locate and remove.
Threat Actors Use SIM-Swapping to Access Azure Virtual Machines
A cybercriminal known to target Microsoft products such as Azure VMs is now using a mix of SIM-swapping and phishing tactics to take over Azure admin accounts that provide access to Azure Virtual Machines.
Mandiant (a Google LLC-owned company) security researchers shared details this month about the threat actor called UNC3944 installing third-party remote management apps within client networks through the Serial Console on Azure VMs. While they're not the first hacker gaining access to Azure Virtual Machines, the technique used stands out because it bypasses many of the typical detection methods in Azure and gives the attacker full admin privileges to the Virtual Machine.
The researchers say that the UNC3944 threat group is driven financially and that Mandiant started tracking them in May 2022. Their tactics include SIM-swapping and email and establishing persistence by using compromised accounts. Once in the door, UNC3944 swipes files and data from within the victim organization's infrastructure.
The researchers observed the attacker leveraging Azure Extensions for reconnaissance purposes using a high-level privileged Azure account. The attacker used extensions such as CollectGuestLogs, and built-in Azure diagnostic extensions. They also noted that the attacker used the Guest Agent Automatic Log Collection, Azure Network Watcher VMSnapshot, and Guest Configuration extensions.
The UNC3944 installs commercially available remote admin tools to maintain a presence on the VM through PowerShell. The researchers say these tools have the advantage of legitimately signed apps and provide remote access without triggering alerts in most EDR platforms.
Mandiant researchers say organizations should restrict access to remote admin channels and disable SMS as an MFA method where possible.
According to Amit Shaked from Laminar Technologies, employing a zero-trust approach that leverages in-depth controls at the data and infrastructure layers is the best defense.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.