Month: March 2021

What’s going on?
In case you’ve missed the news – hundreds of thousands of Microsoft Exchange Server systems worldwide are thought to have been compromised by hackers, who exploited zero-day vulnerabilities to steal emails.

Victims have included the European Banking Authority.

The attacks began seemingly specifically targeting organisations, but has now broadened and escalated dramatically.

As a consequence, there is a good chance that many small business, corporate, and government victims of the attack are currently unaware that they have fallen victim.

What’s a zero-day vulnerability?
“Zero-day” means that the people responsible for patching the vulnerability had zero days to do it before the flaw was exposed or exploited by malicious hackers.

In short, an official security patch has not been released – and malicious hackers may have already taken advantage of the flaw.

My business uses Microsoft Exchange – are we at risk? How do we patch?
The first thing to ask yourself is which flavour of Microsoft Exchange your company uses.

The vulnerabilities reside in the on-premises editions of Microsoft Exchange Server. It is not present in the cloud-based Exchange Online or Microsoft 365 (formerly O365) email services.

Who is behind the attacks?
In a blog post, Microsoft said that it believed a Chinese state-sponsored hacking group called “Hafnium” were behind the attacks.

China has denied any involvement.

However, the release of the security patches and the tardiness of some organisations to defend themselves has almost inevitably encouraged other hackers to also target vulnerable systems.

The US Cybersecurity and Infrastructure Security Agency (CISA) says that it is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”

Is this any way connected to the SolarWinds attack that people started talking about a few weeks ago? That was being widely blamed on Russia.
Microsoft has said that it has seen “no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”

So how can I fix this for my company?
Microsoft issued patches for the critical vulnerabilities in Microsoft Exchange Server last week, and recommended that vulnerable organisations apply them as a matter of urgency.

If your company is not in a position to immediately patch, then you should make yourself familiar with the alternative mitigations suggested by Microsoft, and limiting or blocking external access to internet-facing Exchange servers.

The best advice, however, is to patch as soon as possible. Anything else is a temporary solution like sticky tape.

Is there anything else we should be doing?
Yes. It’s obviously a good thing if you’ve patched your systems, but that will not undo any damage that might already have been caused if you were already compromised.

You should also attempt to identify whether your organisation has already been breached, and hackers have gained a foothold.

Microsoft has released a tool that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities.

Is there anywhere I can find out more?
I strongly recommend that you check out Microsoft’s security advisory and blog post.

The Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive and alert addressing several critical vulnerabilities recently found in Microsoft Exchange products.

Microsoft confirmed the existence of multiple flaws in Microsoft Exchange Server last week, when it rolled out several security updates following reports of targeted attacks.

“Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem,” Microsoft said at the time.

Exploitation of these vulnerabilities can allow a malicious actor to access on-premises Exchange servers and gain persistent access and control of an enterprise network.

CISA recommends organizations examine their systems for any malicious activity as detailed in Alert AA21-062A. To do so, IT admins can consult the handy list of tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity provided in the alert.

Microsoft itself has also rolled out an IOC Detection Tool for the newest Exchange Server vulnerabilities. The tool leverages an updated script that scans Exchange log files for indicators of compromise associated with the vulnerabilities disclosed last week.

Affected products include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.

As Microsoft noted last week, the vulnerabilities in question are used as part of an attack chain, meaning some mitigations only protect against some attack vectors.

“Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file,” Microsoft warned last week.

To that end, CISA reasserts that IT administrators must thoroughly examine their systems for the TTPs and use the IOCs to detect any malicious activity.

“If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert,” CISA says.

Fraudsters aiming to steal login credentials from AOL users are sending phishing emails that threaten recipients with account closures unless they confirm their email addresses and passwords.

The AOL phishing campaign was noticed on February 23, according to Bitdefender Antispam Lab.

Like previous email-based phishing campaigns, cybercriminals use scare tactics and subject lines ranging from “account shutdown” and”final warning” notifications.

In some versions of the scams, the threat actor provides a 24-hour window for users to verify their account credentials or risk becoming unable to receive or send emails.

Although most of the emails lack sophistication, some AOL users may still be tempted to access the fraudulent links and unwittingly give their passwords to cybercriminals.

“The password to your email is expiring today,” one of the fake emails reads. “You are required to use below to re-confirm password otherwise access to your mailbox will be denied.”

In a different version, fraudsters warn users that they have exceeded their Inbox storage and urge them to upgrade their accounts free of charge.

How to protect against phishing emails

One of the first steps when dealing with phishing attacks is to analyze the sender’s email address and the corresponding message. Phishing emails often create a sense of urgency, based on the widespread belief that most users tend to delay or postpone particular tasks – updating and verifying account credentials and passwords.

As a rule of thumb, be cautious of all communications labeled as urgent that ask you to “act now” or lose access to your account.

Do yourself a favor and head to the official website and check for news or updates, and never access the link provided in the email.

If you’re suspicious or know that you’ve entered your login credentials onto a suspicious website or link, try to reset your account password. If locked out from your account, contact the service provider for assistance and immediately change any account passwords that shared the same login credentials.

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab.

Security researchers have identified a new malware campaign designed to infect host machines with ObliqueRAT, a remote access Trojan, with the help of malicious Microsoft Office documents.

Infecting email attachments, usually Microsoft Office docs, is a favorite tactic of attackers. It’s a simple method, and it works, but even these methods change from time to time. Catching infected attachments is not difficult for security solutions, so attackers must develop ways to circumvent cybersecurity software.

Instead of delivering infected docs, the attackers changed to the way they deploy the ObliqueRAT malware eventually. Instead of dropping the required files from the infected attachment, the new method relies on redirecting the user to click on a malicious link, leading to a valid BMP image. 

“This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,” say the Cisco Talos researchers. “Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms. While file-signature and network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.”

Attackers first have to achieve persistence, which they do by adding a shortcut to the malicious URL into Windows startup. The image hosted on the website also contains executable bytes hidden in the image data bytes, allowing attackers to deploy the trojan. It’s a deployment technique named “steganography,” and while it’s not new, it’s yet another layer of obfuscation attackers use to try to evade security solutions.

ObliqueRAT is clearly becoming more complex with each iteration. Now, the malware campaign is growing as well, with threat actors trying hard to avoid detection by adding new obfuscation techniques. It’s an ongoing process, and they will likely continue with new techniques and change their M.O to try to stay ahead of the game.

Microsoft has revealed a new state threat actor, named Hafnium, that’s been exploiting previously unknown zero-day vulnerabilities in the on-premises Exchange Server software.

A zero-day vulnerability is always a serious matter and usually a good-enough reason for companies to quickly address it with a patch. Microsoft found not one, but four such vulnerabilities in their Microsoft Exchange Server 2013, 2016 and 2019 solutions. The company released a so-called out-of-band update, meaning it was outside of the regular schedule.

Finding out about multiple zero-day vulnerabilities in a single product, with exploits in the wold, is an uncommon occurrence. When something like this happens, it’s usually the product of a major threat actor, often at the behest of nation-states.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks,” said Microsoft. “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

“The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server,” explained Microsoft.

The company attributed the campaign to a group they named HAFNIUM, which was assessed to be state-sponsored and operating out of China. The APT’s primary targets are in the United States but it has no preference for a particular industry, targeting infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

Their methods are not unlike what’s been observed before as the group uses stolen credentials or undiscovered vulnerabilities to pose as legitimate users. Once the hackers are in, they create a web shell to control the compromised server remotely. After they secure access to the network’s infrastructure, they begin stealing data.

While the company did issue patches to close the vulnerabilities, not all customers will be quick to install them. Microsoft warned users that, now with the vulnerabilities exposed, the group will likely intensify its attacks and hit companies before they have a chance to patch up their infrastructure.

This Monday, Google revealed fixes for 37 Android vulnerabilities, including one critical security flaw found in the System component.

The announcement is part of Google’s 2021 Android Security Bulletin covering the operating system’s security patches.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” Google explained.

One of the most significant fixes this month regards CVE-2021-0397, a critical vulnerability affecting Android 8.1, 9, 10 and 11 that could allow remote attackers to execute arbitrary code on a device using a specially crafted transmission.

The company also addresses nine other high-severity flaws in the 2021-03-01 security patch level. An additional six security flaws were found in the System component and two affecting the Framework.

The most severe vulnerability in the Framework section “could enable a local attacker with privileged access to gain access to sensitive data,” Google said.

The flaw in Android runtime, tracked as CVE-2021-0395, only affects devices using Android 11 and could allow a “local attacker to execute arbitrary code within the context of a privileged process.”

The second security patch level of 2021-03-05 includes fixes for Kernel components, Qualcomm components and Qualcomm closed-source components.

Although no additional description was provided for the Qualcomm-related security holes, the bulletin did underline the high-severity of the Kernel flaw tracked as CVE-2021-0399.

“The vulnerability in this section could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” the advisory said.

A new zero-day vulnerability has been discovered in the popular web browser Chrome, with Google noting that the flaw is being exploited by malicious actors. Users should install the updated version of the browser containing the patch as soon as possible.

In traditional Chrome-team fashion, the techies maintaining the world’s most popular web browser for desktops are “delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux.”

“This will roll out over the coming days/weeks,” according to the announcement.

But this is not a feature-centric update. Far from it. Chrome 89.0.4389.72 is mostly a maintenance release, containing a “number of fixes and improvements,” all of which are available to Chromium fans in the official log.

Of those fixes and improvements, a considerable number are security fixes – 47 to be exact. And of those, one is for a high-severity bug that Google reckons is already being exploited by bad actors trying to compromise end users.

“Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” according to the announcement.

Reported by Alison Huffman of the Microsoft Browser Vulnerability Research team, CVE-2021-21166 deals with an “object lifecycle issue in audio” components of the browser. Google is keeping a lid on the technicalities. The vulnerability seems to be rooted in two separate bugs, both found by Huffman within a week.

In light of these developments, Chrome users should make updating a priority. To do that, just hit the three-dot button in the top right corner of your browser’s window, go to Settings, choose About Chrome from the sidebar on the left-hand side, and let Chrome fetch your update automatically (if you’re not already up to date). Hit ‘Relaunch’ and you’re done!

As always, keep all your apps and OSes up to date, especially when your vendor pushes out security fixes rated as high-severity or critical.

Stay safe out there!

A common misconception among internet users is that basic cyber hygiene is enough to protect against malicious threats. This couldn’t be more wrong.

Cyber threats are evolving rapidly at the hands of their puppeteers, and it’s impossible for users to hone their cybersecurity skills at the same rate.

Every browsing session and online activity you indulge in could be harmful. It’s easy to get lost in the minefield of unsafe web surfing that exposes users to malware-serving websites and phishing attempts.

Secure browsing experience

Cybercriminals have tailored their attack strategies to every major event and change in the social agendas throughout the year, delivering malicious payloads and defrauding users at an overwhelming rate. These web-based attacks have increased in sophistication and diversified in delivery methods, making it harder for the average user to determine if a website is safe or fake. 

Bitdefender’s web-filtering technology makes sure you don’t land on a malicious website and risk that infects your devices with malware. Web attack prevention checks every website you access for threats, blocking all known infected links and protecting your personal information from cyber thieves.

With the Search Advisor component, you can determine whether your search results are safe to access before clicking any links. Search engine queries and links posted on social media websites are rated, indicating whether they are safe to visit. This web-level protection integrates seamlessly with Bitdefender Windows and Mac security solutions, but it is also available as a free extension for popular browsers such as Firefox, Chrome and Safari.

The TrafficLight extension checks the websites you access for known cyber threats, keeping your devices safe from attacks by info-stealing and file-encrypting malware. Suspicious and phishing websites are blocked, securing your shopping and online banking sessions.

Say no to phishing and fraud attempts

Scammers have set up shop in every corner of the internet, expanding their social engineering techniques to manipulate their targets into providing sensitive information and money.

The advanced anti-phishing protection integrated with Bitdefender solutions is designed to keep you out of danger, blocking suspicious websites masquerading as trustworthy entities. Moreover, the anti-fraud filtering system warns you if the websites you visit are trying to scam you, keeping your credit card and personally identifiable information safe. The anti-phishing and anti-fraud filtering systems also extend to social media platforms, so you can rest assured that whatever links your friends and family pass on to you are harmless.

Web protection on smartphones and tablets too

The risks associated with internet browsing are not limited to your Windows or Mac devices. Mobile threats are on the rise, consistent with the growing number of people who use their Android and iOS devices for shopping, online bank services, messaging and social media. Bitdefender Mobile Security filters all internet traffic by scanning webpages for malicious and fraudulent content. It offers real-time protection against all known online threats that could compromise your device and data. You can navigate your way past all malware and fraudulent websites, regardless whether you’re running an iOS or Android smartphone or tablet, with minimum impact on battery performance.

Our cross-platform Bitdefender Total Security solution packs enterprise-grade protection security layers to ensure safe digital encounters. 

Internet scams are everywhere, inflicting billions of dollars in reported losses from victims each year. Anyone can fall for online scams, as tactics are tailored to the interests of all age groups.

Although email phishing and fraudulent websites are not a new threat to the digital community, the attack vectors deployed by scammers have become more diverse and sophisticated.

Let’s take a closer look at some of the most common scams:

Coronavirus-related scams

Some of the most popular scams operating at the moment are closely related to COVID-19 and exploit the health and financial crisis. Vaccination campaigns are underway, so beware of any suspicious messages promoting an easy and fast way for you to receive the vaccine by filling out forms or making advanced payments or paying fees.

Coronavirus-themed emails may also include advertisements for food or food supplements that help cure or prevent infections, a trend that has been around since the beginning of the pandemic. Spoofing technology has allowed scammers to impersonate government agencies and exploit government-issued stimulus payments easily. By applying high-pressure tactics and the promise of expedited payments, scammers have managed to dupe recipients into providing their personal information and bank account numbers or paying a small “processing fees.”

The latest Bitdefender telemetry shows that coronavirus-fueled scams are still going strong. 61.68% of all incoming COVID-19-related correspondence was marked as spam on February 26, showing that spammers and cybercriminals are relentless in their attempts to take advantage of the ongoing pandemic.

A daily dose of spam

Billions of unsolicited emails are sent to inboxes every day. While some may be harmless, consisting of ads from retailers, criminals also use emails in mass-market phishing campaigns. They use social engineering techniques such as clickbait and scare tactics to persuade recipients to access a fraudulent link or malicious attachment.

From jaw-dropping discounts to vacation deals and job offerings, your Inbox has seen its share of fraudulent correspondence throughout the year. While you might be tempted to read the messages, it’s never recommended to click or access links your receive from individuals or companies you don’t know.

Congratulations, you’ve won!

Years of practice on consumers has taught them what topics to exploit as they quickly adapt to social, political and economic changes. For example, some scammers may still push their luck by unleashing lottery scams on the general population. Why does this “ancient” scam continue to pop up in the digital threat landscape?

Because consumers still fall for it. The thrill of winning millions of dollars, a luxury car, or the latest tech gadget clouds their judgment. Before they realize it, the fraudster has swindled them out of thousands of dollars in bogus processing fees, gift card payments or worse – their bank account information or Social Security number.

IRS and Bank-related scams

Tax-related scams and IRS impersonations are also favorites among criminals. Bitdefender telemetry recently picked up a phishing campaign targeting US-tax payers in preparation for the 2021 tax season.

Cyber-thieves have sharpened their impersonation skills by mimicking banks and online payment platforms in their phishing campaigns. Most of the time, they warn recipients of unauthorized access to their account or ask them to update particular details to avoid being locked out. Some messages may also include malicious attachments that, once accessed, deploy financial and data-stealing malware on the device or ransomware.

Be my valentine

We can find anything online, and in some cases, even heartbreak. Between February 22 and 23, Bitdefender telemetry found that more than 20% of incoming spam was related to online dating.

Fraudsters often create fake online profiles and enter digital relationships that end up financially and emotionally draining for the victim. Although social isolation may have boosted the online dating scene, looking for red flags can make a difference. These scammers often target people’s vulnerabilities, creating a fake relationship based on a target’s trusting nature. 

They often suggest switching the online platform to keep in touch with you, asking for your phone number and email address instead. After establishing a sense of trust, the scammer will start asking for financial aid and may even resort to blackmail or extortion to get what they want.

How can you avoid being scammed?

The pandemic-fueled assault on users knows no boundaries, as fraudsters and cybercriminals take advantage of various communications tools in their attempt to dupe recipients, including phone calls, emails, instant messaging and texting.

Even though internet-related scams vary in sophistication, they all boil down to stealing your money and personally identifiable information.

You can protect against online scams and fraud by following these steps:

• Keep your personal and financial information under lock and key – Millions of people fall victim to identity thieves each year. No matter where your internet experiences take you, don’t provide your personally identifiable information, bank account numbers or credit card info via social media, links you received in unsolicited emails or even your bank. Ask yourself: why does this person or entity need this information? If you receive an email, text or phone call from someone claiming to be from your bank, don’t panic and give out your information. Look up the financial institution and contact a bank representative through official channels
• Be wary of individuals who befriend you online – Social media is bustling with fraudulent activity. Don’t overshare information with people you meet, and always exercise caution when sharing details about your financial status, work, family members and friends. If someone contacts you out of the blue and offers you a get-rich-quick speech, it’s a scam
• Be suspicious of ads and promotions on social media platforms – Even if an ad is paid that does not guarantee the offer is legit. Before you get excited and grab your credit card, research the vendor. Stick to reputable and known service providers or retailers, and don’t fall for the too-good-to-be-true deal
• Distrust unusual payment requests – Scammers will ask you to use an unusual payment method when paying for services. Preloaded debit cards, gift cards, or cryptocurrency are an immediate sign of a scam
• Always check for grammar mistakes and the sender’s email address  – If you’re receiving correspondence from a financial institution, government agency or package delivery service that particularly asks for your information and check for spelling mistakes and inconsistencies. Don’t be fooled by official logos or industry-related lingo as cybercriminals have honed their attack methods
• Don’t open attachments – opening attachments you receive from unknown individuals can spread malware, including file-encrypting ransomware. Sometimes the malicious file can be labeled as an urgent unpaid invoice, a travel itinerary, a job description document, or a PDF detailing your next steps
• Don’t enter personal information in pop-up screens – A legitimate agency, company or organization will not ask for your information this way
• Use a security solution with anti-fraud and anti-phishing security layers that protect against scams and phishing attempts while you browse online
• Report any suspicious activity to the social media platform, email services or financial institution

It’s time to tip the scales on online fraud and scams. As a member of the online community, you can help make the internet a safer place by promoting good cyber practices to your friends and family.

UK’s national reporting center for fraud and cybercrime (Action Fraud) is warning citizens to watch out for travel-related fraud following the government’s announcement last week that it would lift travel restrictions.

The UK has been dealing with some of the harshest lockdown restrictions since the coronavirus was declared a pandemic, and many citizens are looking forward to booking a much-needed vacation.

Even if summer holiday vacations may still seem unlikely, easing lockdown restrictions across the globe will usher in a new wave of holiday enthusiasts both at home and overseas.

This highly anticipated announcement is likely to prompt cybercriminals to resume the now-traditional vacation scams that bring in millions each year.

“We are all more eager than ever to go on a holiday and relax with family and friends after the year we’ve all had,” said the head of Action Fraud, Pauline Smith. “However, the surge in holiday bookings provides criminals with an opportunity to defraud innocent people out of a well-deserved break and their hard-earned cash. Criminals are increasingly using more sophisticated ways to trick their victims, which is why it’s important that we all do our research when booking a holiday and making travel arrangements. Remember, if a deal sounds too good to be true, it usually is.”

If you plan to book a holiday, follow these essential guidelines to avoid getting scammed or having your personal and financial information compromised:

• Research before purchasing your holiday through an ad you see on your social media feed. Never rely solely on reviews, as some scammers post fake reviews to boost their credibility
• Stick to legitimate holiday platforms, as fraudsters usually set up fake websites to advertise bogus and too-good-to-be-true offers
• Never pay by wire transfer or cryptocurrency transfers. Use a credit card or your PayPal account to ensure that you can easily dispute any fraudulent charges
• Install a local security solution with anti-fraud and anti-phishing filtering systems to ensure you don’t land on websites trying to scam you
• Be wary of any advertisements asking for additional fees to secure your booking, including airplane tickets, accommodation and sports events
• In case you’re calling a travel agency to book your next trip, don’t provide your credit card information or any sensitive information during the phone call. If the person or agent insists that you give these details or risk forfeiting your spot, it’s a scam