Eliana Willis

Cyber attackers deployed a new form of malware in an attack which aimed to disrupt an energy facility in Ukraine. According to the Governmental Computer Emergency Response Team of Ukraine (CERT-UA), “urgent measures” were taken after malicious hackers launched malware attack designed to disconnect and decommission industrial infrastructure controlling high-voltage electrical substations. CERT-UA says that an attack intended to decommission infrastructure was set for the evening on Friday 8 April, but that this has been prevented.  Analysis by cybersecurity researchers at ESET, who aided CERT-UA in combating the attack, has linked the campaign to the hacking group Sandworm.  Cybersecurity agencies including the UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have previously attributed Sandworm and other Sandworm campaigns to the GRU, which is part of the Russian military.  SEE: White House warns: Do these 8 things now to boost your security ahead of potential Russian cyberattacksThe attack uses an updated version of Industroyer, a form of malware used in previous campaigns by Sandworm, which infamously caused power outages in Ukraine in 2015. Analysis of the footprint left behind by Industroyer2, which is designed for industrial environments, suggests that an attack against the power systems had been planned for weeks  It’s still uncertain how the targeted power facility was initially compromised, or how the intruders moved from the IT network to the Industrial Control System (ICS) network, but according to CERT-UA, the attackers first entered the network as a whole no later than February 2022. In addition to evidence of Industroyer on the network, the attackers also deployed a new version of CaddyWiper destructive malware. Researchers believe that this was planted with the intention of slowing down recovery processes of the energy company from regaining control of the ICS consoles following the planned attack.  CaddyWiper was also deployed on the machine infected with Industroyer2, in what was likely an attempt to cover up traces of an attack. “Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” said ESET researchers in a blog post. Cybersecurity researchers have previously identified several forms of malware used in cyber attacks against Ukranian organisations before and during Russia’s invasion of the Ukraine.  MORE ON CYBERSECURITY More

Hackers are pretending to poach bank staff in a wave of attacks against the African financial sector.

In recent weeks, the threat actors have been spotted using recruitment emails and messages to entice individuals considering moving from their current employment to rival financial companies.However, the emails don’t contain genuine job offers: instead, they contain malicious surprises. On Tuesday, the threat research team at HP Wolf Security said the campaign specifically targets individuals already working in the African banking sector. Phishing emails are disguised under the names of rival banks through typosquatting and ask the potential victim if they are interested in new job opportunities. The ‘recruiter’ also uses a reply-to typosquatted address to appear more legitimate. If an individual is reeled in, the attacker sends an HTML attachment, Fiche de dossiers.htm (translation: file sheet/card), a Base64 encoded ISO file. If the victim tries to open the file, the content is decoded and shown as a web downloader prompt, in a technique known as HTML Smuggling. “When the user opens the HTML attachment using a web browser, they are prompted to download the file, which is already stored on the local system,” the researchers said. “This way HTML smuggling bypasses security controls that block malicious website traffic, such as web proxies.” The ISO contains a VBS script, which, when double-clicked, triggers the creation of a registry key on the impacted system for persistence, the execution of PowerShell scripts, and the deployment of GuLoader. GuLoader is a loader for serving victims RemcosRAT malware. RemcosRAT is a commercially-available Remote Access Trojan (RAT) available on a cheap subscription basis to cybercriminals. The Windows malware can perform keylogging, take screenshots, conduct surveillance through PC cameras and microphones, steal operating system data and personal files, harvest browser activity, and download further malicious payloads. By targeting individuals already in the banking sector, it is possible that the cyberattackers are trying to obtain access to commercial bank networks, whether through corporate machines or personal devices when employees are working remotely. “The attacker might take advantage of the employee’s position in the bank since they would have access to their corporate email account,” the researchers noted. “[They might] move laterally with the goal of compromising domain controllers to deploy ransomware. They might also steal sensitive/protected data that could be used to extort the target.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New research suggests that only half of organizations worldwide reviewed their cybersecurity policies when COVID-19 hit.

The COVID-19 pandemic prompted a rapid shift to working from home. Whereas organizations would often have their employees in the office — and, therefore, access to corporate resources was more centralized there — the need to provide remote options also increased the potential attack surface. Virtual private network (VPN) usage is customary for remotely connecting to company systems. However, the pandemic prompted the more widespread use of personal PCs and handsets with varying levels of security — and reliance on video conferencing tools and emails also caused headaches for security teams. According to research published on Tuesday by the Ponemon Institute, on behalf of Intel, the global enterprise will spend roughly $172 billion on cybersecurity this year. However, only 53% of respondents said they refreshed their existing strategies due to the pandemic — and this could indicate a disconnect between spending the cash and applying it correctly to the modern workplace. When changes were made to existing policies, they were driven by factors including remote working demands, supply chain failures, increased cyberattack rates, and employee turnover.In total, 59% of organizations surveyed in the research said their cybersecurity practices are “innovative,” at least when it comes to threat detection, followed by 51% who believe they are innovative in how technology investments are made. The pandemic has created what could become a permanent hybrid workforce. Enterprise organizations have recognized this requires a shift in investments, with remote work, artificial intelligence (AI), and automation becoming top priorities.
Intel
85% of respondents said that hardware & firmware-based security solutions are now a “high” or “very high” priority when it comes to security solution applications. In addition, 64% of those surveyed said that their companies were trying to boost security at the hardware level, with cloud, data centers, edge computing, and security operations centers (SOC) in mind.
Intel
The integration of zero-trust strategies is also on the table for enterprise players. As the pandemic continues to impact businesses worldwide, 75% of survey respondents said they have an increased interest in adopting zero-trust access and privilege frameworks.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloud applications and services are a prime target for hackers because poor cybersecurity management and misconfigured services are leaving them exposed to the internet and vulnerable to simple cyberattacks. Analysis of identity and access management (IAM) polices taking into account hundreds of thousands of users in 18,000 cloud environments across 200 organisations by cybersecurity researchers at Palo Alto Networks found that cloud accounts and services are leaving open doors for cyber criminals to exploit – and putting businesses and users at risk. The global pandemic pushed organisations and employees towards new ways of remote and hybrid working, with the aid of cloud services and applications. While beneficial to businesses and employees, it also created additional cybersecurity risks – and malicious hackers know this. 

ZDNet Recommends

“With the pandemic-induced transition to cloud platforms over the past several years, malicious actors have had an easier time than ever following their targets into the cloud,” said John Morello, vice president of Prisma Cloud at Palo Alto Networks.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesAccording to the research, 99% of cloud users, services and resources provide excessive permissions. In most cases, these permissions and administrator privileges aren’t needed by regular users, but there’s the risk that, if cloud accounts are compromised, cyber attackers could take advantage of excess permissions to modify, create or delete cloud environment resources, as well as moving around networks to help expand the scope of attacks. Another practice that isn’t helping IT departments is poor password security, with the majority of cloud accounts – 53% – allowing weak passwords consisting of under 14 characters, while 44% of cloud accounts allow the user to re-use a password that is linked to another account. Weak passwords are vulnerable to brute-force and credential-stuffing attacks, where cyber attackers use automated software to test weak passwords against accounts. Accounts will be at particular risk if the password used to secure them is especially common. 

Password re-use also creates a risk for cloud accounts. If the user has had their password for a separate account leaked or hacked, attackers will test it against their other accounts. If it’s the same password, they’ll be able to access the cloud account, which puts the user and the rest of the corporate cloud services at risk from further attacks. This risk is further exacerbated by cloud accounts being publicly exposed to the web in the first place. According to the research, almost two-thirds of organisations have cloud resources, such as buckets and databases, misconfigured in a way that means they can be accessed without the need for authentication at all.  That means that cyber criminals don’t even need to breach credentials to steal sensitive information, they just need the URL. Identifying these buckets and servers, and ensuring they are not exposed on the open web, is a must for cybersecurity teams. For all cloud services, properly configured IAM can block unintended access, so make sure users are implementing complex, unique passwords – and their accounts should also be protected with multi-factor authentication. IT departments should also consider whether regular accounts need administrator privileges. While a legitimate user with this level of access might not be considered a risk, an intruder with admin access has the keys to the entire cloud kingdom.MORE ON CYBERSECURITY More

Cybersecurity researchers at Zscaler are warning about malware dubbed FFDroider that is designed to steal usernames and passwords, along with cookies from infected Windows computers. FFDroider is mainly focused on stealing login credentials for social media websites, including Facebook, Instagram and Twitter, but it also steals passwords for Amazon, eBay and Etsy accounts. The malware can steal cookies from Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge browsers. The information stolen by the trojan malware can be used to take control of accounts, steal personal information, commit fraud against victims, and could also provide attackers with a means of hacking other accounts if the same email and password is used to access them. 

ZDNet Recommends

Zscaler said it has observed “multiple” campaigns related to FFDroider, which are all connected to a malicious program embedded in cracked version of installers and freeware.SEE: A winning strategy for cybersecurity (ZDNet special report)To avoid being detected after installation, the malware disguises itself as messenger application Telegram – although users who aren’t Telegram users might wonder why folders claiming to be that app have appeared. Once installed on a system, the malware monitors the actions of the victim and – when they enter their username and password into the specified social media platforms – the information is stolen. FFDroider also steals cookies and saved login credentials from the browser. If stolen social media account credentials are linked to a business account, the malware also seeks out billing information, potentially enabling the attackers to steal bank payment details.  The attackers could also use compromised Facebook or Instagram accounts of businesses to run malicious advertising campaigns, take control of additional accounts, steal more payment details, or spread the malware further. Social media accounts hold a lot of personal information and stolen details are a prime commodity for cyber criminals who can exploit the data to commit fraud themselves, or sell to others on underground forums. To stay safe from this particular campaign, people should be extremely wary of unexpected emails claiming to offer free software – especially if that software is something that usually must be paid for, as that’s often a clear sign that the download link can’t be trusted. It’s also helpful to apply multi-factor authentication across all social media platforms, as this helps to stop attackers from accessing accounts, even if they have the right password. In any situation where you think your password might have been stolen, you should change it immediately. MORE ON CYBERSECURITY More