Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs
An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an «unusual» campaign.
Stack Overflow Teams
The Internet Explorer flaw, tracked as CVE-2021–26411, is notable for the fact that it was abused by the North Korea-backed Lazarus Group to target security researchers working on vulnerability research and development.
Earlier this February, South Korean cybersecurity firm ENKI revealed the state-aligned hacking collective had made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer. Microsoft addressed the issue as part of its Patch Tuesday updates for March.
Prevent Data Breaches
Besides collecting system metadata, the VBA RAT is orchestrated to identify antivirus products running on the infected host and execute commands it receives from an attacker-controlled server, including reading, deleting, and downloading arbitrary files, and exfiltrate the results of those commands back to the server.
Source — https://thehackernews.com/2021/07/hackers-exploit-microsoft-browser-bug.html
New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums
Two new ransomware-as-service programs have appeared on the threat radar this month, with one group professing to be a successor to DarkSide and REvil, the two infamous ransomware syndicates that went off the grid following major attacks on Colonial Pipeline and Kaseya over the past few months.
Stack Overflow Teams
According to Flashpoint, the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post stating they are looking to purchase access to infected corporate networks comprising anywhere between 500 and 15,000 hosts in the U.S., Canada, Australia, and the U.K. and with revenues of over $100 million a year, potentially hinting at a large-scale ransomware operation.
BlackMatter Ransomware
On July 27, the group is said to have begun actively recruiting partners and affiliates using Exploit forum’s Jabber server to promulgate their recruitment message, in which they claim to be looking for experienced penetration testers knowledgeable in Windows and Linux systems as well as initial access suppliers, who would either sell their access or work for a percentage of the profits.
The emergence of BlackMatter coincides with the demise of DarkSide and REvil in the wake of highly publicized ransomware incidents of Colonial Pipeline, JBS, and Kaseya, raising speculations that the groups may eventually rebrand and resurface under a new identity.
Source — https://thehackernews.com/2021/07/new-ransomware-gangs-haron-and.html
Best Practices to Thwart Business Email Compromise (BEC) Attacks
Business email compromise refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks.
Process
The finance department in every organization has an expenditure authorization policy in place. This policy establishes clear approval levels for any expenditures/payments to safeguard the company’s assets.
While all expenditures/payments should be part of an approved budget, this policy provides a tool for the finance department to ensure that each payment is authorized by the right individual or individuals based on the amount.
People
All company employees must be trained to know what a cybersecurity attack looks like, what to do, what not to do, and this training should be delivered on an ongoing basis since the cybersecurity landscape is changing so rapidly.
These types of solutions include
An anti-spam engine that blocks malicious communications with anti-spam and reputation-based filters.
An anti-phishing engine to detect malicious URLs and prevent any type of phishing attack before it reaches end-users.
An anti-spoofing engine to prevent payload-less attacks such as spoofing, look-alike domains, and display name deception.
Final Thoughts
The proficiency of these attacks is why businesses and managed service providers choose to use Acronis Cyber Protection solutions.
Source — https://thehackernews.com/2021/07/best-practices-to-thwart-business-email_29.html
New Android Malware Uses VNC to Spy and Steal Passwords from Victims
Dubbed «Vultur» due to its use of Virtual Network Computing ‘s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named «Protection Guard,» attracting over 5,000 installations.
Android remote access trojan
Vultur adopts a similar tactic in that it takes advantage of accessibility permissions to capture keystrokes and leverages VNC’s screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud. What’s more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone.
«These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of commands sequence, making it easy for the actor to hit-and-run».
Source — https://thehackernews.com/2021/07/new-android-malware-uses-vnc-to-spy-and.html
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT