Netizen Threat Brief: 20 June 2018 Edition
Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:
- Phishing Email
- Vulnerable Cloud Containers
- Sneaky Windows malware delivers adware
- Firefox fixes critical buffer overflow
1. Phishing Email
Just recently, Netizen has received a phishing email depicted below:
From the looks of it, the email appears to be legitimately from Chase. However, further inspection of the link reveals suspicious details:
We can see that the link points to a website based out of Chile (as depicted by the .cl domain) and is not actually from Chase Bank.
A Phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has.
Here are our recommendations and tips on what to watch out for when it comes to suspicious emails:
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
- Do not give out personal or company information.
- Review both signature and salutation.
- Do not click on attachments
- Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
- Be wary of poor spelling, grammar, and formatting.
- Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
2. Vulnerable Cloud Containers
As the cloud is developed and technologies progress further, so do the risks of using these services. Around 22,000 cloud containers and application programming interface (API) management systems have been found unprotected, or publicly available on the Internet. Containers are a form of Infrastructure-as-a-Service (IaaS) that offers operating system virtualization that is more efficient than typical hardware virtualization. The containers discovered had poorly configured resources, a lack of credentials, and the use of non-secure protocols. As a result of these poor practices and security measures, attackers would be able to remotely access company infrastructure to either install, remove, or encrypt any application that the organization may be using in the cloud.
We recommend the following mitigations:
- Secure containers with complex and strong passwords.
- Utilize secure protocols (SSL/TLS)
- Scan container images and registries to search for security flaws within them.
- Monitor data that flows in and out of containers to search for any suspicious activity.
- Encrypt data, when in transit and when at rest.
- Keep your systems up to date.
- Limit user access to administrative privileges to only those that need it.
3. Sneaky Windows Malware Delivers Adware
A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines’ desktops. Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that’s delivered by the campaign which first appeared in 2012.
The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.
What makes Zacinlo so unusual is how it is delivered by rootkit, a malicious form of software which can manipulate the operating system and any installed anti-malware in such a way to make the computer oblivious to the existence of the malware. Rootkit-based malware is complex and is therefore rare, accounting for less than one percent of all malware.
Once downloaded, the false application pretends to act as a VPN would, but does nothing but act as a delivery mechanism for the malware, which uses the rootkit as a means of downloading files and eventually delivering the final Zacinlo payload.
The main goal of Zacinlo is to deliver adware, displaying adverts developed by the attackers in webpages the user visits and to secretly click through to them to generate ad revenue. Popular browsers including Edge, Internet Explorer, Firefox, Chrome, Opera, and Safari can all be used to drive the adware.
Ironically, in order to ensure it can carry out its goal, the malware can also clean up any other adware the victim device may be infected with.
Zacinlo is extremely persistent, secretly going about its business until it is told to stop by those running the command and control server — but using the computer to generate ad fraud isn’t the only threat posed by the malware.
The malware is stealthy, but it can be detected if the system is scanned in safe mode.
- Never download attachments without knowing where they have originated.
- Alert your Information Security staff if you suspect advertisements are appearing on unusual sites
A recent discovery of a sophisticated cyber-espionage malware tool has been discovered by security researchers and dubbed Invisimole. This malware can allow attackers to turn ordinary PCs into full-fledged spying devices. Capable of turning on the microphone or video camera remotely on the compromised machine allowing the attacker to listen in on, and record conversations near the infected computer. In addition, the ability to take screenshots of applications running in the background, and even scanning nearby wireless networks to geolocate the victim has been noted as well.
- Ensure recent updates and patches are applied to the operating system, internet browsers, and any addon plugins.
- Remove old and outdated software that is no longer in use.
- Be vigilant when reading emails, and do not download and run attachments from suspicious emails.
- Ensure the use and frequent updating of firewalls, antivirus, and anti-malware technology.
5. Firefox Fixes Critical Buffer Overflow
Firefox fixes critical buffer overflow Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.
The buffer overflow bug occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.
Skia is used for rendering and rasterizing images and text, and Fratric found that an attacker could trigger a buffer overflow during the rasterization process if they use a malicious SVG image file with anti-aliasing turned off. The Mozilla advisory says this buffer overflow could result in “a potentially exploitable crash.”
The fixed versions of Firefox became available on 6 June, so if you’ve run your browser lately, the chances are it’s already patched.
- To be sure though, check to see what version of the browser you are running — in Firefox on Windows, go to Help and select About Firefox, on a Mac, Firefox and select About Firefox.
How can Netizen help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.