Key cybersecurity problems expected to mark 2021

After a year in which COVID-19 upended the way we live, work and socialize, we are likely to see an increased threat from ransomware and fileless malware in 2021, according to ESET.

cybersecurity problems 2021

Trend 1: The future of work – embracing a new reality

The advent of the pandemic has ushered in mass implementation of remote working, which has seen a heavier reliance on technology than ever before. This shift away from the office has brought benefits for employees, but it has also left companies’ networks vulnerable to attack.

Jake Moore, ESET Security Specialist, commented, “We have all learned that working remotely can benefit organizations; however, I don’t think that we will continue to work remotely five days a week. More employees around the world will naturally and effortlessly migrate to what works for them and their businesses. As more and more of our working and home lives become digitized, cybersecurity will remain the lynchpin of business safety. Cyberattacks are a persistent threat to organizations, and businesses must build resilient teams and IT systems to avoid the financial and reputational consequences of such an attack.”

Trend 2: Ransomware with a twist – pay up or your data gets leaked

With ransomware attackers seeking greater leverage to coerce victims into paying, as well as upping the ante in ransom demands, the stakes are increasing for victims. Exfiltration and extortion may not be new techniques, but they are certainly growing trends.

Tony Anscombe, Chief Security Evangelist, ESET, commented, “Companies are becoming smarter, deploying technologies that thwart attacks and creating resilient backup and restore processes, so the bad actors need a ‘Plan B’ to be able to monetize their effort and build resilience into the attack, rather than being reliant on a single form of threat.

“Thwarted attacks or diligent backup and restore processes may no longer be enough to fend off a committed cybercriminal who’s demanding a ransom payment. The success in monetizing due to a change of technique offers cybercriminals an increased chance of a return on investment. This is a trend that, unfortunately, I am sure we will witness more of in 2021.”

Trend 3: Beyond prevention – keeping up with the shifting sands of cyberthreats

In recent years, cybercriminal groups have turned to using increasingly complex techniques to deploy highly targeted attacks. Some time ago, the security community began to talk about fileless malware attacks, which piggyback on the operating system’s own tools and processes and leverage them for malicious purposes.

These techniques have gained more traction recently, having been employed in various cyberespionage campaigns and by various malicious actors, mainly to hit high-profile targets such as government entities.

“Fileless threats have been evolving rapidly, and it is expected that in 2021 these methods will be used in increasingly complex and larger-scale attacks. This situation highlights the need for security teams to develop processes leveraging tools and technologies that not only prevent malicious code from compromising computer systems, but that also have detection and response capabilities – even before these attacks fulfill their mission, said Camilo Gutiérrez Amaya, Senior Security Researcher, ESET.

Trend 4: Bad vibes – security flaws in smart sex toys

With new models of smart toys for adults entering the market all the time, research has shown that we are a long way from being able to use smart sex toys without exposing ourselves to the risk of a cyberattack. Now these findings are more relevant than ever, as we are seeing a rapid rise in sex toy sales as a reflection of a global health crisis and the social distancing measures related to COVID-19.

Cecilia Pastorino, ESET Security Researcher, commented, “The era of smart sex toys is just beginning. The latest advances in the industry include models with VR capabilities and AI-powered sex robots that include cameras, microphones and voice analysis capabilities based on artificial intelligence techniques. As has been proven time and time again, secure development and public awareness will be key to ensuring the protection of sensitive data, while we empower users to become smart consumers who are able to demand better practices from vendors in order to maintain control of their digital intimacy in the years to come.”

Researchers discover POS backdoor targeting the hospitality industry

ESET researchers have discovered ModPipe, a modular backdoor that gives its operators access to sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS (point-of-sale) – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide.

POS backdoor targeting hospitality industry

The majority of the identified targets were from the United States.

Containing a custom algorithm

What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.

Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

“However, based on the documentation of RES 3700 POS, the attackers should not be able to access some of the most sensitive information – such as credit card numbers and expiration dates – which is protected by encryption. The only customer data stored in the clear and thus available to the attackers should be cardholder names,” cautions ESET researcher Martin Smolár, who discovered ModPipe.

“Probably the most intriguing parts of ModPipe are its downloadable modules. We’ve been aware of their existence since the end of 2019, when we first found and analyzed its basic components,” explains Smolár.

POS backdoor targeting hospitality industry

Downloadable modules

  • GetMicInfo targets data related to the MICROS POS, including passwords tied to two database usernames predefined by the manufacturer. This module can intercept and decrypt these database passwords, using a specifically designed algorithm.
  • ModScan 2.20 collects additional information about the installed MICROS POS environment on the machines by scanning selected IP addresses.
  • ProcList with main purpose is to collect information about currently running processes on the machine.

“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market,” adds Smolár.

What can you do?

To keep the operators behind ModPipe at bay, potential victims in the hospitality sector as well as any other businesses using the RES 3700 POS are advised to:

  • Use the latest version of the software.
  • Use it on devices that run updated operating system and software.
  • Use reliable multilayered security software that can detect ModPipe and similar threats.

Every employee has a cybersecurity blind spot

80% of companies say that an increased cybersecurity risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.

cybersecurity blind spot

This is according to Cyberchology: The Human Element, a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:

  • Cybercrime has increased by 63% since the COVID-19 lockdown was introduced
  • Human error has been the biggest cybersecurity challenge during the COVID-19 pandemic, according to CISOs
  • Just a quarter of businesses consider their remote working strategy effective
  • 47% of people are concerned about their ability to manage stress during the coronavirus crisis

Cyberchology research investigates the attitudes of 2,000 consumers and over 100 Chief Information Security Officers in the UK, with psychological research examining the link between cybersecurity, personality, and stress in a virtual world.

The report found that 75% of companies say that half of their business is being undertaken by employees who are now working remotely – but weren’t doing so before COVID-19, showing a highly dispersed current workforce.

With CISOs reporting a 63% increase in cybercrime since the lockdown began, and remote working here to stay for many employees, businesses are more at risk than ever.

Meanwhile, the report found that over two thirds of consumers were concerned about their cybersecurity but didn’t know what to do about it, and nearly half of respondents were concerned about their ability to manage stress during the pandemic.

Stress affects different personality types in different ways, meaning that each individual employee has their own specific blind spot when it comes to cybersecurity. As the pandemic has raised stress levels, staff members may be more likely to panic and click on a malicious link, or fail to report a security breach to the IT team, depending on their personality type.

The paper therefore encourages businesses to implement a holistic cybersecurity strategy that takes individual personalities into account.

“Remote working has brought greater flexibility to the workforce, but has also dramatically altered business processes and systems. The combination of fractured IT systems, a lack of central security, the sudden shift to home working, and a global climate of stress and concern is a perfect breeding ground for a successful cyberattack. The fact that only a quarter of businesses have faith in their own remote working strategy is shocking, and shows there is much work to be done to secure working from home,” said Jake Moore, Cybersecurity Specialist, ESET.

John Hackston, Head of Thought Leadership at The Myers-Briggs Company, commented: “Cybersecurity has long been thought of as the responsibility of IT departments alone, but in order to build a holistic cybersecurity strategy that accounts for the human factor, IT and HR departments must work together. Using psychometric testing and self-awareness tools, HR can help to identify the makeup of teams and pinpoint potential vulnerabilities. IT teams can use this insight to create comprehensive security protocols and a proactive cyber strategy to stay one step ahead of potential threats.”

Microsoft and partners cut off key Trickbot botnet infrastructure

Two weeks after someone (allegedly the US Cyber Command) temporarily interrupted the operation of the infamous Trickbot botnet, a coalition of tech companies headed by Microsoft has struck a serious blow against its operators.

Trickbot botnet

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft.

About Trickbot and the Trickbot botnet

Trickbot, which dates back to 2016, was originally a banking trojan, but due to its modular nature it is now capable of much more: gathering saved and entered credentials, browser histories, network and system information, installing a backdoor, harvesting email addresses, running various commands on a Windows domain controller to steal Active Directory credentials, launching brute force attacks against selected Windows systems running a RDP connection exposed to the Internet, and downloading and loading ransomware on the infected computer.

The malware is often delivered through spam and spear phishing campaigns, and occasionally through the Emotet botnet.

“In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that ‘the relationship between Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime world’,” Symantec (Broadcom) researchers noted.

“Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives,” Burt explained, and noted that beyond infecting end user computers, Trickbot has also infected a number of IoT devices, such as routers.

Disruption attempts

Since late September, Trickbot has been hit twice by (then-unknown) attackers.

According to Brian Krebs, they first pushed out a new configuration file to Windows computers infected with Trickbot, instructing them to consider 127.0.0.1 (a “localhost” address) their new control server.

A week later, they did it again, but at the same time, “someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records,” apparently in an attempt to “dilute the Trickbot database and confuse or stymie the Trickbot operators.”

These efforts, which were subsequently revealed to have been mounted by the US Cyber Command, did not permanently affect the botnet.

But the technical and legal efforts lead by Microsoft and supported by FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec division are expected to considerably affect the botnet’s operation.

After gathering enough information about the botnet’s operation and C&C servers, Microsoft went to the United States District Court for the Eastern District of Virginia, which then court granted approval for Microsoft and partners to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

The operation will be followed by further action by ISPs and CERTs around the world, who will attempt to reach Trickbot victims and help them remove the malware from their systems.

“This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt pointed out.

“While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted,” the Black Lotus Labs team noted.

Surge in unique clients reporting brute-force attack attempts

There’s a significant uptick in the number of unique clients who have reported brute-force attack attempts, ESET reveals.

brute-force attack attempts

Trend of RDP attack attempts against unique clients (per day) detected by ESET

The trend has been observed since the onset of the global pandemic. The COVID-19 crisis has radically changed the nature of everyday work, forcing employees to manage large parts of their jobs via remote access.

Cybercriminals exploiting remote work

Cybercriminals – especially ransomware operators – are aware of the shift and attempt to exploit the new opportunities and increase their illicit earnings. In the period between January 2020 and May 2020, the United States, China, Russia, Germany and France topped the list of countries with most IPs used for brute-force attacks.

“Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department. But the coronavirus pandemic has brought a major shift to the status quo.

“Today, a huge proportion of ‘office’ work occurs via home devices, with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers,” explains Ondrej Kubovič, ESET Security Research & Awareness Specialist.

“Despite the increasing importance of RDP, as well as other remote access services, organizations often neglect its settings and protection. Employees use easy-to-guess passwords, and without additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems,” Kubovič continues.

According to telemetry, most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary.

RDP has become a popular attack vector

RDP has become a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals often brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, and then run ransomware to encrypt crucial company data.

However, other malicious actors try to exploit poorly secured RDP to install coin-mining malware or create backdoors, which can be used in case their unauthorized RDP access has been identified and closed.

How do I select a mobile security solution for my business?

The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets.

To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.

In order to select a suitable mobile security solution for your business, you need to consider a lot of factors. We’ve talked to several industry professionals to get their insight on the topic.

Liviu Arsene, Global Cybersecurity Analyst, Bitdefender

select mobile security solutionA business mobile security solution needs to have a clear set of minimum abilities or features for securing devices and the information stored on them, and for enabling IT and security teams to remotely manage them easily.

For example, a mobile security solution for business needs to have excellent malware detection capabilities, as revealed by third-party independent testing organizations, with very few false positives, a high detection rate, and minimum performance impact on the device. It needs to allow IT and security teams to remotely manage the device by enabling policies such as device encryption, remote wipe, application whitelisting/blacklisting, and online content control.

These are key aspects for a business mobile security solution as it both allows employees to stay safe from online and physical threats, and enables IT and security teams to better control, manage, and secure devices remotely in order to minimize any risk associated with a compromised device. The mobile security solution should also be platform agnostic, easily deployable on any mobile OS, centrally managed, and allow users to switch from profiles covering connectivity and encryption (VPN) settings based on the services the user needs.

Fennel Aurora, Security Adviser at F-Secure

select mobile security solutionMaking any choice of this kind starts from asking the right questions. What is your company’s threat model? What are your IT and security management capabilities? What do you already know today about your existing IT, shadow IT, and employees bring-your-own-devices?

If you are currently doing nothing and have little IT resources internally, you will not have the same requirements as a global corporation with whole departments handling this. As a farming supplies company, you will not face the same threats, and so have the same requirements, as an aeronautics company working on defense contracts.

In reality, even the biggest companies do not systematically do all of the 3 most basic steps. Firstly, you need to inventory your devices and IT, and be sure that the inventory is complete and up-to-date as you can’t protect what you don’t know about. You also need at minimum to protect your employees’ devices against basic phishing attacks, which means using some kind of AV with browsing protection. You need to be able to deploy and update this easily via a central tool. A good mobile AV product will also protect your devices against ransomware and banking trojans via behavioral detection.

Finally, you need to help people use better passwords, which means helping them install and start using a password manager on all their devices. It also means helping them get started with multi-factor authentication.

Jon Clay, Director of Global Threat Communications, Trend Micro

select mobile security solutionMany businesses secure their PC’s and servers from malicious code and cyber attacks as they know these devices are predominately what malicious actors will target. However, we are increasingly seeing threat actors target mobile devices, whether to install ransomware for quick profit, or to steal sensitive data to sell in the underground markets. This means is that organizations can no longer choose to forego including security on mobile devices – but there are a few challenges:

  • Most mobile devices are owned by the employee
  • Most of the data on the mobile device is likely to be personal to the owner
  • There are many different device manufacturers and, as such, difficulties in maintaining support
  • Employees access corporate data on their personal devices regularly

Here are a few key things that organizations should consider when looking to select a mobile security solution:

  • Lost devices are one reason for lost data. Requiring users to encrypt their phones using a passcode or biometric option will help mitigate this risk.
  • Malicious actors are looking for vulnerabilities in mobile devices to exploit, making regular update installs for OS and applications extremely important.
  • Installing a security application can help with overall security of the device and protect against malicious attacks, including malicious apps that might already be installed on the device.
  • Consider using some type of remote management to help monitor policy violations. Alerts can also help organizations track activities and attacks.

Discuss these items with your prospective vendors to ensure they can provide coverage and protection for your employee’s devices. Check their research output to see if they understand and regularly identify new tactics and threats used by malicious actors in the mobile space. Ensure their offering can cover the tips listed above and if they can help you with more than just mobile.

Jake Moore, Cybersecurity Specialist, ESET

select mobile security solutionCompanies need to understand that their data is effectively insecure when their devices are not properly managed. Employees will tend to use their company-supplied devices in personal time and vice versa.

This unintentionally compromises private corporate data, due to activities like storing documents in unsecure locations on their personal devices or online storage. Moreover, unmanaged functions like voice recognition also contribute to organizational risk by letting someone bypass the lock screen to send emails or access sensitive information – and many mobile security solutions are not fool proof. People will always find workarounds, which for many is the most significant problem.

In oder to select the best mobile security solution for your business you need to find a happy balance between security and speed of business. These two issues rarely go hand in hand.

As a security professional, I want protection and security to be at the forefront of everyone’s mind, with dedicated focus to managing it securely. As a manager, I would want the functionality of the solution to be the most effective when it comes to analyzing data. However, as a user, most people favor ease of use and convenience at the detriment of other more important factors.

Both users and security staff need to be cognizant of the fact that they’re operating in the same space and must work together to strike the same balance. It’s a shared responsibility but, importantly, companies need to decide how much risk they are willing to accept.

Anand Ramanathan, VP of Product Management, McAfee

select mobile security solutionThe permanent impact of COVID-19 has heightened attacker focus on work-from-home exploits while increasing the need for remote access. Security professionals have less visibility and control over WFH environments where employees are accessing corporate applications and data, so any evaluation of mobile security should be based on several fundamental criteria:

  • “In the wild security”: You don’t know if or how mobile devices are connecting to a network at any given time, so it’s important that the protection is on-device and not dependent on a connection to determine threats, vulnerabilities or attacks.
  • Comprehensive security: Malicious applications are a single vector of attack. Mobile security should also protect against phishing, network-based attacks and device vulnerabilities. Security should protect the device against known and unknown threats.
  • Integrated privacy protection: Given the nature of remote access from home environments, you should have the ability to protect privacy without sending any data off the device.
  • Low operational overhead: Security professionals have enough to do in response to new demands of supporting business in a COVID world. They shouldn’t be obligated to manage mobile devices differently than other types of endpoint devices and they shouldn’t need a separate management console to do so.

Magecart attackers hit Claire’s, Intersport web shops

Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.

Magecart Claire's Intersport

Claire’s

The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.

The skimmer was served from a domain made to look like it might belong to the company (claires-assets.com), and it was added to the two online stores between April 25th and 30th.

“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the researchers pointed out.

“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”

How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it. In fact, they registered the malicious domain a day after Claire’s announced that they will be temporarily close all of their brick and mortar stores due to COVID-19.

Intersport

ESET researchers have pointed out the compromise of Intersport’s web store and said that the company fixed the issue within several hours of ESET letting them know.

Sansec researchers say that an initial hack happened on Apr 30th and then another one on May 14th:

Only the localized Intersport web shops serving customers from the Balkans region have been compromised.

What now?

It is still unknown how long the skimmers went unnoticed.

None of the compromised web shops sport a prominent notification about the breach and payment card info theft. Claire’s notified the payment card networks and law enforcement, and let’s hope they will contact affected customers directly once they determine the extent of the compromise and theft.

Companies should have protections in place to notice this and other types of breaches soon after they happen, but unfortunately many don’t.

If you’re paying for your purchases with payment cards – whether online or in physical stores – you should regularly check your account statements for unauthorized charges and report them quickly.

Multiple vulnerabilities discovered in smart home devices

ESET researchers found serious security vulnerabilities in three different home hubs: Fibaro Home Center Lite, HomeMatic Central Control Unit (CCU2) and eLAN-RF-003.

vulnerabilities smart home

Some of the flaws could be misused by an attacker to perform MitM attacks, eavesdrop on the victim, create backdoors, or gain root access to some of the devices and their contents. In worst case scenarios, these issues could even allow attackers to take control over the central units and all peripheral devices connected to them.

The issues have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active.

Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.

“We found that security vulnerabilities in IoT devices are a prevalent issue. Our research also proves that flaws in settings, missing encryption or authentication are not exclusive to low-end cheap devices but are often present in high-end hardware too,” says ESET Security and Awareness specialist Ondrej Kubovič.

Fibaro Home Center Lite

One of the vulnerable devices was Fibaro Home Center Lite: a home automation controller, designed to control a wide variety of peripheral devices in a smart home.

vulnerabilities smart home

A thorough inspection of the device by ESET researchers uncovered a mixture of serious vulnerabilities that could open the door for outside attackers. One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device. After being reported, the issue has promptly been fixed by the manufacturer.

Homematic CCU2

Another device – Homematic CCU2 a central unit of user’s smart home system by eQ-3 – also displayed a serious security flaw during our testing, namely the ability of an attacker to perform unauthenticated remote code execution (RCE) as root user.

vulnerabilities smart home

The flaw had serious security implications, allowing attackers to gain full access to Homematic CCU2 devices and potentially also to connected peripheral devices via numerous shell commands misusing the RCE vulnerability. After being reported, the issue has been fixed by the manufacturer.

eLAN-RF-003

The third vulnerable device was smart RF box eLAN-RF-003 designed as a central unit in a smart home, allowing the user to control a variety of home systems via an application installed on the customer’s devices such as a smartphone, smartwatch, tablet or smart TV.

vulnerabilities smart home

Researchers tested the device together with two peripheral devices from the same manufacturer – wireless dimmable LED bulb and dimmable socket.

The test results showed that connecting the device to the internet or even operating it on one’s LAN could be potentially dangerous for the user due to a number of critical vulnerabilities. These included inadequate command authentication, which allowed all commands to be executed without a login, or radio communication with peripheral devices being vulnerable to record and replay attacks.

The vendor fixed some of the reported vulnerabilities and then focused on development of newer generations of the device.

Cyber crooks continue to exploit COVID-19 for their malicious schemes

A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.

The latest schemes and scams that exploit COVID-19

Proofpoint researchers have observed COVID-19 being used as a pretext in BEC scams:

exploit COVID-19

“BEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the attacker’s end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the attacker will send their true ask. (I need you to buy gift cards, wire transfer funds, etc.),” the researchers explained.

“These coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the recipient. In the body of this message, the actor attempts to eliminate the possibility of voice-verification, in hopes of ensuring a higher success rate, by saying their phone is ‘faulty at the moment.’”

They’ve also spotted an assortment of fake notices impersonating doctors and local health agencies and institutions (aimed at the general population), as well as more targeted emails aimed at enterprises (employees), such as fake internal emails for credential phishing attacks impersonating the organization’s president, IT staff, risk manager, and so on.

Scammers are also trying to make media and advertising companies spread URLs of scammy websites to their audience – they offer money for the placing of the URL in a prominent place (e.g., on top of their most recent YouTube video description).

exploit COVID-19

Malvertising campaigns and extortion

There has also been a spike in malvertising campaigns on coronavirus-themed news stories, delivering malicious Flash Player updates.

ESET researchers have spotted COVID-19-themed extortion emails:

OPIS

The sender is threatening to infect every member of the recipient family’s “with the Coronavirus” if he or she doesn’t deliver $4000. To make the threat more believable, the scammer uses leaked passwords in an attempt to create the impression that they know a lot about the recipient.

SpyCloud researchers have been keeping an eye on popular online criminal forums and have noticed:

  • A threat actor advertising a service in which they craft coronavirus-focused scam letters and scam sites for customers
  • A threat actor sharing instructions for cracking and taking over meal-kit delivery accounts, to take advantage of the fact that many people are ordering food online while attempting to practice social distancing. Another threat actor is offering to sell stolen meal-kit delivery codes.

Finally, with many, many people around the world losing their job due to the current situation, Brian Krebs says that cyber criminals have already started trying to trick them into becoming money mules. The pretext? They would be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

Flaw affecting 1B+ Wi-Fi-enabled devices allows attackers to decrypt wireless network packets

ESET researchers have discovered Kr00k (CVE-2019-15126), a previously unknown vulnerability in Wi-Fi chips used in many client devices, Wi-Fi access points and routers.

CVE-2019-15126

Kr00k is a vulnerability that causes the network communication of an affected device to be encrypted with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt wireless network packets.

About CVE-2019-15126

The discovery of Kr00k follows previous ESET research into the Amazon Echo being vulnerable to KRACKs (Key Reinstallation Attacks). Kr00k is related to KRACK, but is also fundamentally different.

During the investigation into KRACK, ESET researchers identified Kr00k as one of the causes behind the “reinstallation” of an all-zero encryption key observed in tests for KRACK attacks. Subsequent to their research, most major device manufacturers have released patches.

CVE-2019-15126 is particularly dangerous because it has affected over a billion Wi-Fi enabled devices – a conservative estimate.

Kr00k affects all devices with Broadcom and Cypress Wi-Fi chips that remain unpatched. These are the most common Wi-Fi chips used in today’s client devices.

Wi-Fi access points and routers are also affected by the vulnerability, making even environments with patched client devices vulnerable. ESET tested and confirmed that among the vulnerable devices were client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), as well as access points by Asus and Huawei.

ESET responsibly disclosed the vulnerability to the chip manufacturers Broadcom and Cypress, who subsequently released patches. They also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to ensure that all possibly affected parties – including affected device manufacturers using the vulnerable chips, as well as other possibly affected chip manufacturers – were aware of Kr00k. According to their information, devices by major manufacturers have now been patched.

“Kr00k manifests itself after Wi-Fi disassociations – which can happen naturally, for example due to a weak Wi-Fi signal, or may be manually triggered by an attacker,” said Miloš Čermák, the lead ESET researcher into the Kr00k vulnerability.

“If an attack is successful, several kilobytes of potentially sensitive information can be exposed. By repeatedly triggering disassociations, the attacker can capture a number of network packets with potentially sensitive data,” he adds.

More technical details about Kr00k are available here.

Protection against Kr00k attacks

“To protect yourself, as a user, make sure you have updated all your Wi-Fi capable devices, including phones, tablets, laptops, IoT smart devices, and Wi-Fi access points and routers, to the latest firmware version,” said Robert Lipovský, an ESET researcher working with the Kr00k vulnerability research team.

“Of great concern is that not only client devices, but also Wi-Fi access points and routers that have been affected by Kr00k. This greatly increases the attack surface, as an adversary can decrypt data that was transmitted by a vulnerable access point, which is often beyond your control, to your device, which doesn’t have to be vulnerable.”

Enterprise cybersecurity in the Asia-Pacific region

Almost one in five business organizations in the Asia-Pacific (APAC) region experienced more than six security breaches in the past two years, a new ESET enterprise cybersecurity survey has revealed. ESET polled over 1,835 managers and C-level executives working in organizations in a variety of industries in India, China, Hong Kong, Taiwan, Japan, Thailand and Indonesia, and also found that: 91 percent of organizations have a cybersecurity awareness program. The percentage reaches as high as … More

The post Enterprise cybersecurity in the Asia-Pacific region appeared first on Help Net Security.