The SecuriTea News - Issue #7
Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending Information Security News. Here's what is new for this week:
New Threat Emerging For Critical Infrastructure. A never-seen-before malware threat group has been discovered by security researchers that appear to be targeting critical infrastructure organizations in the Middle East. The threat group, named LYCEUM, are using spearphishing emails, which is when a malicious email campaign is targeting a specific group, and using embedded Microsoft Excel attachments to deliver the payload. (For reference, the main difference between spearphishing and phishing is that the former is targeted whereas phishing attacks are sent to a large number of people for better chance of success.) Once a victim clicks on the document, which disguises itself as a "security best practice" document, the payload is downloaded that can spread across the company's network, steal credentials and other account information, as well as install a keystroke logger that will allow an attack to see whatever you type on your device's keyboard. LYCEUM has been suspected to be in operation for over a year, without detection, and they first targeted victims in South Africa and have now shifted to the Middle East. There is a growing concern in the community that this threat will shift its focus to the US critical infrastructure industry, posing a threat to every day lives of US citizens. More information about this new threat can be found here.
Law Enforcement Takedown Causes Malware To Destroy Itself. A crypto-mining worm, known at Retadup, that was causing 850,000 infections to Windows operation systems has been neutralized by a combination of French and U.S law-enforcement. Crypto-mining malware is a program takes over a computer's resources and uses them for cryptocurrency mining without the owner's consent. The worm was mainly infecting users in Latin America and researchers became concerned when they found out that the malware was not only using up a victims resources for mining crypto-currency, it also pushed additional malware to infected hosts that could take screenshots, steal passwords, and log keystrokes for when a victim is entering sensitive information. Luckily, security researchers were able to discover a flaw that allowed the removal of the malware by replacing the infected command server with a new one that would push out the disinfection. This caused the connected devices to self-destruct without harming the victim's devices.
Google Urges Chrome Users To Update. A high-severity vulnerability was uncovered, and patched, that would allow a remote attacker to execute code to carry out malicious attacks. Similar to attacks we have reported before, this vulnerability used what is called a "use-after-free" flaw that was found in a program that powers the Google Chrome browser. Use-after-free is a tactic where an attacker attempts to access memory after it is freed, which can cause a program to crash or allow them to execute code. You can learn more about it here.
Successful exploitation of this vulnerability could allow for your sensitive information to be obtained, security restrictions bypassed, and unauthorized actions to be performed. An update has been released and it is important if you are a Google Chrome browser user to install right away.
Beware of Entering Your Phone Pin on Legitimate Websites. Typically when you are attempting to login to your mobile carrier's website, such as Verizon, T-Mobile, or Sprint, you would enter your username, password and perhaps a code if you have multi-factor authentication set up. A new threat is emerging where malicious actors are injecting malicious code into legitimate websites that will prompt a user to enter their phone pin. Phone pins are usually setup for verifying your identity when calling in for phone troubleshooting or paying your bill, and can even be setup to unlock your phone. When entered on this illegitimate page, threat actors now have access to your pin and therefore your account. Once the pin is in their hands, an attacker can assume control of a victim’s telephone number, including all inbound and outbound text and voice communication and intercept messaging. Researchers are suggesting that in order to mitigate exposure to this malware, organizations should use their available controls to review and restrict access using the indicators of compromise. They also recommended that individuals use time-based one-time password multi-factor authentication (MFA), as opposed to SMS MFA.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.