In the last few months, multiple groups of attackers successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the UK, Netherlands, Hong Kong, and Singapore.
Dubbed ‘PerSwaysion,’ the newly spotted cyberattack campaign leveraged Microsoft file-sharing services—including Sway, SharePoint, and OneNote—to launch highly targeted phishing attacks.
According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.
“Among these high-ranking officer victims, more than 20 Office365 accounts of executives, presidents, and managing directors appeared.”
“By late September 2019, PerSwaysion campaign has adopted much mature technology stacks, using Google appspot for phishing web application servers and Cloudflare for data backend servers.”
Like most phishing attacks aiming to steal Microsoft Office 365 credentials, fraudulent emails sent as part of PerSwaysion operation also lured victims with a non-malicious PDF attachment containing ‘read now’ link to a file hosted with Microsoft Sway.
“The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection,” the researchers said.
Next, the specially crafted presentation page on Microsoft Sway service further contains another ‘read now’ link that redirects users to the actual phishing site—waiting for the victims to enter their email account credentials or other confidential information.
Once stolen, attackers immediately move on to the next step and download victims’ email data from the server using IMAP APIs and then impersonate their identities to further target people who have recent email communications with the current victim and hold important roles in the same or other companies.
“Finally, they generate new phishing PDF files with the current victim’s full name, email address, legal company name. These PDF files are sent to a selection of new people who tend to be outside of the victim’s organization and hold significant positions. The PerSwaysion operators typically delete impersonating emails from the outbox to avoid suspicion.”
“Evidence indicates that scammers are likely to use LinkedIn profiles to assess potential victim positions. Such a tactic reduces the possibility of early warning from the current victim’s co-workers and increases the success rate of new phishing cycle.”
Though there’s no clear evidence on how attackers are using compromised corporate data, researchers believe it can be ‘sold in bulk to other financial scammers to conduct traditional monetary scams.’
Group-IB has also set-up an online web-page where anyone can check if their email address was compromised as part of PerSwaysion attacks—however, you should only use it and enter your email if you’re highly expecting to be attacked.
- Published in Insights
The Coronavirus is hitting hard on the world’s economy, creating a high volume of uncertainty within organizations.
Cybersecurity firm Cynet today revealed new data, showing that the Coronavirus now has a significant impact on information security and that the crisis is actively exploited by threat actors.
In light of these insights, Cynet has also shared a few ways to best prepare for the Coronavirus derived threat landscape and provides a solution (learn more here) to protect employees that are working from home with their personal computers because of the Coronavirus.
The researchers identify two main trends – attacks that aim to steal remote user credentials and weaponized email attacks:
Remote User Credential Theft
The direct impact of the Coronavirus is a comprehensive quarantine policy that compels multiple organizations to allow their workforce to work from home to maintain business continuity.
This inevitably entails shifting a significant portion of the workload to be carried out remotely, introducing an exploitable opportunity for attackers.
The opportunity attackers see the mass use of remote login credentials to organizational resources that far exceed the norm. As a result, remote connections are established by employees and devices that have never done so before, meaning that an attacker could easily conceal a malicious login without being detected by the target organization’s security team.
Cynet’s global threat telemetry from the recent three weeks reveals that Italy features a sharp spike in phishing attacks in comparison to other territories, indicating that attackers are hunting in full force for user credentials.
In addition, the researchers also detect a respective spike both in detected anomalous logins to its customers’ environments, as well as in customers actively reaching out to CyOps (Cynet MDR) to investigate suspicious logins to critical resources.
Correlating the two spikes validates that attackers are actively exploiting the Coronavirus derived havoc.
Weaponized Email Attacks
Employees that work from home often would do so from their personal computers, which are significantly less secure than the organizational ones, making them more vulnerable to malware attacks.
Besides, Cynet released today’s figures that support the above claim. Here is the double spike Cynet sees within its customers from Italy of email-based attacks:
A closer look at the attacks reveals that they possess a considerable threat to organizations that do not have advanced protection in place:
While 21% of these emails featured simplistic attacks with a link to download a malicious executable embedded in the email body, the vast majority included more advanced capabilities such as malicious Macros and exploits or redirection to malicious websites – a challenge that surpasses the capabilities of most AV and email protection solutions.
Taking a closer look at how these attacks were blocked verifies that they should be regarded as a severe risk potential:
‘The fact that only about 10% of the malware in these attacks was identified by its signature, indicates that the attackers behind these campaigns are using advanced attacking tools to take advantage of the situation’, says Eyal Gruner, CEO, and Co-Founder of Cynet.
Moreover, there is another aspect to the Coronavirus impact. In many cases, the functioning of the security team itself is impaired due to missing team members in quarantine, making the detection of malicious activity even harder.
From conversations with these companies, it turns out that the operations of many security teams are significantly disturbed due to quarantined team members, causing them to use Cynet’s MDR service more often to compensate for the lack of staff.
‘We have reached out to our customers in Italy ‘, says Gruner, ‘and they have confirmed that a significant part of their workforce works from home these days.’
To sum up the situation in Italy, employees working from home, security teams that are not fully operational and general atmosphere of uncertainty, create ideal conditions for attackers that seek to monetize the new situation through phishing, social engineering, and weaponized emails.
The data from Cynet’s Italian install base should serve as an illustrative example of the cyber effect in a territory where Coronavirus has a high prevalence. While this is not yet the case for other countries, the rapid Coronavirus spread implies that the cyber threat landscape in Italy would soon be duplicated in other geolocations as well.
In order to efficiently confront these threats, CISOs should evaluate the defenses they have in place and see whether they provide protection against phishing and malicious logins.
As a breach protection platform, Cynet introduces a dedicated offering tailored to the new Coronavirus related cyber risks.
For both existing and new customers, Cynet will allow, free of charge (for 6 months), the deployment of its product, Cynet 360, on personal computers used by employees working from home.
Cynet massively adds staff to CyOps, its MDR services team, to be able to cover for companies with reduced security staff because of the Coronavirus.
- Published in Insights
A cybersecurity researcher today publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.
The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks.
According to Pedro Ribeiro from Agile Information Security firm, IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.
- Authentication Bypass
- Command Injection
- Insecure Default Password
- Arbitrary File Download
Ribeiro successfully tested the flaws against IBM Data Risk Manager version 2.0.1 to 2.0.3, which is not the latest version of the software but believes they also work through 2.0.4 to the newest version 2.0.6 because “there is no mention of fixed vulnerabilities in any change log.”
“IDRM is an enterprise security product that handles very sensitive information. A compromise of such a product might lead to a full-scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company,” Ribeiro said.
Critical Zero-Day Vulnerabilities in IBM Data Risk Manager
In brief, the authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account, including the administrator.
The command injection flaw resides in the way IBM’s enterprise security software lets users perform network scans using Nmap scripts, which apparently can be equipped with malicious commands when supplied by attackers.
According to the vulnerability disclosure, to SSH and run sudo commands, IDRM virtual appliance also has a built-in administrative user with username “a3user” and default password of “idrm,” which if left unchanged, could let remote attackers take complete control over the targeted systems.
The last vulnerability resides in an API endpoint that allows authenticated users to download log files from the system. However, according to the researcher, one of the parameters to this endpoint suffers from a directory traversal flaw that could let malicious users download any file from the system.
Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.
Ribeiro claims to have reported this issue to IBM via CERT/CC and in response, the company refused to accept the vulnerability report, saying: ” We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers.”
In response Ribeiro said, “In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don’t agree with HackerOne’s or IBM’s disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it.”
The Hacker News has reached out to IBM, and we will update the article as more information becomes available.
An IBM spokesperson told The Hacker News that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”
- Published in Insights
Exfiltrating Data from Air-Gapped Computers Using Screen Brightness
It may sound creepy and unreal, but hackers can also exfiltrate sensitive data from your computer by simply changing the brightness of the screen, new cybersecurity research shared with The Hacker News revealed.
In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can’t connect wirelessly or physically with other computers or network devices.
These clever ideas rely on exploiting little-noticed emissions of a computer’s components, such as light, sound, heat, radio frequencies, or ultrasonic waves, and even using the current fluctuations in the power lines.
For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can’t always count on an insider to unknowingly carry a USB with the data back out of a targeted facility.
When it comes to high-value targets, these unusual techniques, which may sound theoretical and useless to many, could play an important role in exfiltrating sensitive data from an infected but air-gapped computer.
How Does the Brightness Air-Gapped Attack Work?
In his latest research with fellow academics, Mordechai Guri, the head of the cybersecurity research center at Israel’s Ben Gurion University, devised a new covert optical channel using which attackers can steal data from air-gapped computers without requiring network connectivity or physically contacting the devices.
“This covert channel is invisible, and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, and passwords), and modulate it within the screen brightness, invisible to users,” the researchers said.
The fundamental idea behind encoding and decoding of data is similar to the previous cases, i.e., malware encodes the collected information as a stream of bytes and then modulate it as ‘1’ and ‘0’ signal.
In this case, the attacker uses small changes in the LCD screen brightness, which remains invisible to the naked eye, to covertly modulate binary information in morse-code like patterns
“In LCD screens each pixel presents a combination of RGB colors which produce the required compound color. In the proposed modulation, the RGB color component of each pixel is slightly changed.”
“These changes are invisible, since they are relatively small and occur fast, up to the screen refresh rate. Moreover, the overall color change of the image on the screen is invisible to the user.”
The attacker, on the other hand, can collect this data stream using video recording of the compromised computer’s display, taken by a local surveillance camera, smartphone camera, or a webcam and can then reconstruct exfiltrated information using image processing techniques.
As shown in the video demonstration shared with The Hacker News, researchers infected an air-gapped computer with specialized malware that intercepts the screen buffer to modulate the data in ASK by modifying the brightness of the bitmap according to the current bit (‘1’ or ‘0’).
You can find detailed technical information on this research in the paper [PDF] titled, ‘BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness,’ published yesterday by Mordechai Guri, Dima Bykhovsky and Yuval Elovici.
Air-Gapped Popular Data Exfiltration Techniques
It’s not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap machines include:
- PowerHammer attack to exfiltrate data from air-gapped computers through power lines.
- MOSQUITO technique using which two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.
- BeatCoin technique that could let attackers steal private encryption keys from air-gapped cryptocurrency wallets.
- aIR-Jumper attack that takes sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
- MAGNETO and ODINI techniques use CPU-generated magnetic fields as a covert channel between air-gapped systems and nearby smartphones.
- USBee attack that can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors.
- DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
- BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
- AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
- Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
- GSMem attack that relies on cellular frequencies.
- Published in Insights