Information Technology

A wave of cyber attacks are exploiting Microsoft Excel add-in files in order to deliver several forms of malware in campaigns which could leave businesses vulnerable to data theft, ransomware and other cyber crime. Detailed by researchers at HP Wolf Security, the campaigns use malicious Microsoft Excel add-in (XLL) files to infect systems and there was an almost six-fold increase – a 588% rise – in attacks using this technique during the final quarter of 2021 when compared to the previous three months. XLL add-in files are popular because they enable users to deploy a wide variety of extra tools and functions in Microsoft Excel. But like macros, they’re a tool which can be exploited by cyber criminals. The attacks are distributed via phishing emails based around payment references, invoices, quotes, shipping documents and orders which come with malicious Excel documents with XLL add-in files. Running the malicious file prompts users to install and activate the add-in – which will secretly run the malware on the victim’s machine. Malware families identified as being delivered in attacks leveraging XLL files include – Dridex, IcedID, BazaLoader, Agent Tesla, Raccoon Stealer, Formbook and Bitrat. Many of these forms of malware can create backdoors onto compromised Windows systems, providing attackers with the ability to remotely access machines, monitor activity and steal data. Researchers also warn that malware backdoors provide attackers with ability to deliver other malware, including ransomware, meaning the XLL attacks could be exploited as a means of encrypting networks and demanding large ransom payments. These XLL attacks are effective at compromising victims – something that’s reflected in the prices of those offering services related to them on underground dark web forums.  

SEE: A winning strategy for cybersecurity (ZDNet special report)Some XLL Excel Dropper services are advertised as costing over $2,000, which is quite expensive for community malware but criminal forum users seem willing to pay the price. In addition to the XLL-based campaigns, researchers note that QakBot, a prominent form of trojan malware, often used as a precursor to ransomware attacks, is also abusing Excel to compromise victims. Attackers are hijacking email threads in order to deliver malicious Excel documents to their chosen victims, who are sent a ZIP archive containing a Microsoft Excel Binary Workbook (XLSB). If this is run, QakBot is downloaded onto the machine. “Abusing legitimate features in software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly,” said Alex Holland, senior malware analyst at HP Wolf Security. “Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe,” he added. In order to avoid falling victim to the spate of attacks abusing XLL files, it’s recommended that administrators configure email gateways to block incoming .xll attachments and only permit add-ins to be delivered by trusted partners – or even disable Excel add-ins entirely. MORE ON CYBERSECURITY More

The FBI has issued an alert detailing the tools, techniques and tactics of an Iranian group, giving US organizations tips to defend against its malicious cyber activities.Back in October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a campaign aimed at influencing and interfering with the 2020 US Presidential Election. 

ZDNet Recommends

The Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors. SEE: A winning strategy for cybersecurity (ZDNet special report)But the FBI information indicates Emennet poses a broader cybersecurity threat outside of information operations. “Since 2018, Emennet has conducted traditional cyber exploitation activity targeting several sectors, including news, shipping, travel (hotels and airlines), oil and petrochemical, financial, and telecommunications, in the United States, Europe, and the Middle East,” it said. Emennet is known to use virtual private network (VPN) services TorGuard, CyberGhost, NordVPN, and Private Internet Access. The group also uses web search to identify leading US business brands and then scans their websites for vulnerabilities to exploit. In some but not all cases, the exploit attempts were targeted and the group would also try to identify hosting and shared hosting services.  

Emennet was particularly interested in finding webpages running PHP code and identifying externally accessible MySQL databases, in particular phpMyAdmin. They also were keen on Wordpress, the most popular CMS on the web, as well as Drupal and Apache Tomcat.”When conducting research, Emennet attempted to identify default passwords for particular applications a target may be using, and tried to identify admin and/or login pages associated with those same targeted websites. It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify,” the FBI warned. It said the group has attempted to leverage cyber intrusions conducted by other actors for their own benefit, for example searching for data hacked and leaked by other actors, and attempting to identify webshells that may have been placed or used by other cyber actors.  The group also uses a range of open-source penetration testing and research tools, including SQLmap, and it probably uses additional tools: DefenseCode Web Security Scanner, Wappalyzer, Dnsdumpster, Tiny mce scanner, Netsparker, Wordpress security scanner (wpscan), and, of course, Shodan.  More

EyeMed has agreed to $600,000 in penalties to settle the case of a 2020 data breach that exposed the information of roughly 2.1 million consumers. 

The agreement was announced this week. According to New York Attorney General Letitia James, the data breach exposed sensitive information, including names, mailing addresses, full or partial Social Security numbers, dates of birth, driving licenses, healthcare IDs, diagnoses and condition notes, and treatment information. Out of the 2.1 million individuals involved in the security incident, 98,632 New York state residents.  Based in Cincinnati, Ohio, EyeMed Vision Care is a network provider for independent optometrists, opticians, ophthalmologists, as well as eye doctors in retail settings. The organization caters to over 60 million users.  According to court documents (.PDF), on or around June 24, 2020, an unknown attacker used stolen credentials to access an enrollment email account used by EyeMed. Over the course of a week, the threat actor was able to view correspondence and access sensitive consumer data.  The cybercriminal was able to exfiltrate this data, in theory, but a cyberforensics firm hired to investigate the incident was unable to conclude whether or not they did steal consumer information.  In July, the attacker then used the email account to send roughly 2,000 phishing emails to clients. 

“The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker,” the settlement document reads.  EyeMed was alerted to the intrusion once the scam messages were sent and booted the attacker from its system.  It took a further two months before impacted clients began to be notified of the data breach — and as this has been conducted on a rolling basis, customers were still being told up to January 2021. Clients have been offered credit monitoring services, fraud consultation, and identity theft restoration. Minors, too, were affected — and for this group, EyeMed has also offered Social Security Number trace.  The Office of the Attorney General launched its own investigation into the data breach and concluded that the original email account was not protected with multi-factor authentication (MFA).  “Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information,” the office says. “The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.” Under the terms of the agreement, EyeMed will pay the state of New York penalties totaling $600,000. In addition, the company must improve its cybersecurity posture maintain “reasonable” account management protocols, including the implementation of MFA in remote and administrative settings, and sensitive information collected from consumers must be encrypted.  If it is no longer necessary to store consumer information, the company is now under orders to permanently delete it.  A penetration testing program must also be implemented to identify any vulnerabilities or further security issues in the EyeMed network.  “New Yorkers should have every assurance that their personal health information will remain private and protected,” commented Attorney General James. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest.” ZDNet has reached out to EyeMed with additional queries, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has raised an alarm about a new multi-phase phishing campaign that first enrolls an attacker’s BYOD device on a corporate network and then begins sending thousands of convincing phishing emails to further targets. The purpose of enrolling or registering a device on a target company’s network was to avoid detection during later phishing attacks, according to Microsoft.   

Microsoft says “most” organizations that had enabled multi-factor authentication (MFA) for Office 365 were not impacted by phishing emails spread by attacker-controlled registered devices, but those that had not enabled MFA were all affected. SEE: A winning strategy for cybersecurity (ZDNet special report)The attack exploited instances where MFA was not enforced during the process of registering a new device with a company’s instance of Microsoft’s identity service, Azure Active Directory (Azure AD); or when enrolling a BYOD device to a mobile device management (MDM) platform like Microosft’s Intune.”While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack’s propagation heavily relied on a lack of MFA protocols,” Microsoft said. “Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain,” it added. 

The first wave of the attack targeted organizations in Australia, Singapore, Indonesia, and Thailand, according to Microsoft. “Hundreds” of credentials stolen in this phase were then used in the second phase where a device was registered or enrolled, allowing for broader penetration of the target. The first phase relied on a DocuSign-branded phishing email requesting the recipient review and sign the document. It used phishing domains registered under the .xyz top level domain (TLD). Each email’s phishing link was also uniquely generated and contained the target’s name in the URL. The phishing link directed victims to a spoofed Office 365 login page. The attackers used stolen credentials to set up a connection with Exchange Online PowerShell and used this to create inbox rules that deleted messages based on keywords in the subject or body of the email, including ‘junk’, ‘spam’, ‘phishing’, ‘hacked’, ‘password’, and ‘with you’. This was likely to to avoid detection.  In the second phase, the attackers installed Microsoft’s Outlook email client on to their own Windows 10 PC, which was then successfully connected to the victim’s Azure AD. All the attackers had to do was accept Outlook’s onboarding experience that prompts the user to register a device. In this case, the attackers were using credentials acquired in phase one. “An Azure AD MFA policy would have halted the attack chain at this stage,” Microsoft notes. Azure AD does have tools to mitigate these threats by time-stamping and logging new device registrations. But with compromised credentials and a registered Windows 10 device with Outlook, the attackers could then launch the second phase, which involved sending “lateral, internal, and outbound” phishing messages to over 8,500 other email accounts. These messages used a SharePoint invitation to view a “Payment.pdf” file.  “By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.”      

ZDNet Recommends

Accounts where victims clicked the link in the second wave were similarly subjected to automated rules that deleted emails containing the same keywords used in the first wave.SEE: This mysterious malware could threaten millions of routers and IoT devicesMicrosoft offers directions to security teams that can revoke active sessions and tokens of compromised accounts, delete unwanted mailbox rules, and disable rogue devices registered with Azure AD.Notably, Microsoft says organizations can reduce their attack surface by disabling “basic authentication”, and in Exchange Online and by disabling Exchange Online Powershell for end users. Admins can also enable Microsoft’s new “conditional access control”. Microsoft in February announced that, due to the pandemic, it was delaying its plan to turn off basic authentication in Exchange Online for legacy email authentication protocols, such as Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. That move would eliminate instances where single factor authentication is used. Microsoft’s replacement for basic authentication, dubbed Modern Authentication, enables both conditional access and MFA.    Microsoft in September said it would “begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth”, from October 1, 2022.  More

Screenshot via ZDNet
The operator of the DeepDotWeb platform has been sentenced to just over eight years in prison. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

This week, the US Department of Justice (DoJ) said that Tal Prihar’s sentence, 97 months, was based on charges of conspiracy to commit money laundering, of which Prihar pleaded guilty to in March last year. Owned by Prihar and co-defendant Michael Phan, DeepDotWeb (DDW) started operating in 2013 and provided a platform for Dark Web news and links to marketplaces, redirecting visitors to their .onion addresses — websites which are not available through standard search engines in the clear web.  The website was seized by law enforcement in 2019.  According to US prosecutors, both defendants earned substantial profits by advertising these links through kickbacks provided by the underground marketplaces. Goods and services on offer included hacking tools, firearms, drugs, and stolen data collections.   Prihar and Phan received 8,155 in Bitcoin (BTC) — worth roughly $8.4 million at the time they were paid, although worth substantially more nowadays – and these funds were then shifted around cryptocurrency wallets and traditional bank accounts held under the names of fake shell companies.  In April 2021, Prihar pleaded guilty to his role in DDW and agreed to forfeit $8,414,173. 

His co-conspirator is currently in Israel and extradition proceedings are underway.   The investigation into DDW involved the FBI’s Pittsburgh Field Office, French authorities, Europol, the IRS, German law enforcement,  the Israeli National Police, and the UK’s National Crime Agency (NCA), among other organizations.  In other Dark Web news this week, law enforcement seized and shut down Canadian HeadQuarters, a large marketplace that facilitated the purchase and sale of spam services, phishing kits, stolen credential data dumps, and access controls to compromised machines. Four individuals allegedly linked to the marketplace have also been fined.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Konni Remote Access Trojan (RAT) has recently received “significant” updates, researchers say, who also urge the community to keep a close eye on the malware.  

On Wednesday, cybersecurity firm Malwarebytes published an advisory on the malware’s latest developments, noting that the Trojan is under active development resulting in “major” changes. Konni has been detected in the wild for roughly eight years. A report on the malware published by BlackBerry in 2017 said that the malware made use of “basic” anti-analysis techniques and was employed for surveillance purposes, rather than the typical financial attacks often linked to RATs.  Past campaigns have hinted strongly at a link with North Korea. Phishing documents used to spread the Trojan tend to have themes connected to the Hermit Kingdom, including content relating to missile capabilities, hydrogen bombs, and articles copied from the Yonhap news agency that talked about the country. The attached documents contained the payload, and once executed on a vulnerable Windows machine, Konni would gather data through file grabs, keystroke logs, and screen capturing.  Konni is believed to be the work of the Kimsuky threat group, which has attacked South Korean think tanks, political groups in Russia, and entities in both Japan and the United States.  According to Malwarebytes, the old Trojan has now evolved into a “stealthier” version of itself. New samples show that the phishing attack vector has primarily stayed the same – with the payload deployed through malicious Office documents — but the Trojan, a .DLL file linked to a .ini file, now contains revised functionality.

Older versions of the RAT relied on two branches to execute using a Windows service: svchost.exe and rundll32.exe strings. Malwarebytes explained: “New samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages.”The malware has also transitioned from base64 encoding to AES encryption to protect its strings and for obfuscation purposes. In addition, Konni now utilizes AES when configuration and support files are dropped — such as the .ini file that contains the command-and-control (C2) server address — as well as when files are sent to the C2. Some recent Konni samples also used a previously-unknown packer, but threat data collected by the cybersecurity firm suggests it may have been left out of real-world scenarios.  “As we have seen, Konni is far from being abandoned,” Malwarebytes commented. “The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted.” Earlier this month, Cisco Talos documented a recent campaign in which vendors’ cloud infrastructure, including Microsoft Azure and Amazon Web Services (AWS), was being abused to spread commercial RATs.  Strains including Nanocore, Netwire, and AsyncRAT were being deployed by the operators, who also abused DuckDNS to facilitate the download of malicious packages.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Officials with the Canadian Radio-television and Telecommunications Commission (CRTC) said they took down dark web marketplace Canadian HeadQuarters on Wednesday and fined four of those involved in the platform. In a statement, CRTC chief compliance and enforcement officer Steven Harroun said Canadian HeadQuarters, also known and Canadian HQ, was “one of the largest Dark Web marketplaces in the world and significantly contributed to harmful cyber activity in Canada.”CRTC staff executed warrants in the greater Montreal area through 2020 and 2021 that led to the marketplace being taken offline. They also issued fines to Chris Tyrone Dracos, Marc Anthony Younes, Souial Amarak and Moustapha Sabir. Dracos was given a $150,000 fine and the other three were given $50,000 fines. Dracos, Younes, Amarak and Sabir are accused of sending phishing emails and violating Canada’s anti-spam legislation. Dracos was given a higher fine because he is allegedly the “creator and administrator” of Canadian HQ. “Some Canadians are being drawn into malicious cyber activity, lured by the potential for easy money and social recognition among their peers. This case shows that anonymity is not absolute online and there are real-world consequences when engaging in these activities,” Harroun said.”Canadian Headquarters was one of the most complex cases our team has tackled since CASL came into force. I would like to thank the cyber-security firm Flare Systems, the Sûreté du Québec and the RCMP’s National Division for their invaluable assistance. Our team is committed to investigating CASL non-compliance on all fronts.”CRTC explained that the marketplace allowed people to sell spamming services, phishing kits, stolen credentials and access to compromised computers. Since the country passed anti-phishing laws, they have issued penalties or more than $1.4 million. 

Canadian officials noted that the investigation led them to uncover several other cybercriminal vendors and that more “enforcement actions” are planned. On the same day, the US Department of Justice said Canadian Slava Dmitriev was sentenced to three years in prison for access device fraud after he was involved in the sale of more than 1,700 stolen identities on the dark web. He was arrested in Greece while on vacation and was extradited to the US in January 2021. “Dmitriev stole the identities of hard-working citizens of the United States and thought he was safe from prosecution while overseas,” said Phil Wislar, Acting Special Agent in Charge of FBI Atlanta. He went by the name “GoldenAce” and sold 1,764 items on AlphaBay for approximately $100,000, offering customers stolen names, dates of birth, social security numbers, and other personally identifiable information. More

The Biden Administration released a new cybersecurity strategy for federal agencies that will move the government toward a “zero trust” security model. The nearly 30-page plan lays out dozens of measure federal agencies need to take in the next two years to secure systems and limit the risk of security incidents. The government is still recovering from the SolarWinds scandal, which saw Russian hackers spend months inside government systems at multiple US agencies. Government agencies have until the end of fiscal year 2024 to put in place many of the measures described in the plan, which include more stringent network segmentation, multi-factor authentication and widespread encryption. Departments are given 60 days or 120 days to appoint leads for the implementation of the measures and for efforts to classify certain information based on sensitivity. The White House said the growing threat of sophisticated cyberattacks “underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.””The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm that will help protect our nation. These goals are directly aligned with and support existing zero trust models,” the White House explained. The move is part of a larger effort to secure the country’s systems that began last year with an executive order and other measures. In September, the White House released a first draft of the strategy and today said they got additional insights from cybersecurity experts, companies and non-profits. The White House noted that the recent Log4j vulnerability is “the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.”

CISA Director Jen Easterly said zero trust is a key element of their effort to modernize and strengthen the government’s defenses.”As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” Easterly said. “CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”A number of organizations came out in support of the move, noting that the federal government has needed to update its security posture and do more to lock down certain systems. Phil Venables, CISO at Google Cloud, said they have long advocated for the adoption of modern security approaches like zero trust and would support the federal government “as it embarks upon its zero trust journey.”Tim Erlin, VP of strategy at Tripwire, called the memorandum a substantial step forward for cybersecurity across the US government but noted that it is “unfortunate” that it doesn’t provide a clearer role for what NIST identifies as one of the key tenets for zero Ttust: integrity monitoring. “Documents from both CISA and NIST include integrity monitoring as a key component of zero trust, but the OMB memorandum doesn’t include similar treatment. This memorandum includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology,” Erlin said. “EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response. The cybersecurity technology landscape moves quickly, and there’s a real risk that agencies will find themselves required to implement and run a superseded capability.” More