The Good, the Bad and the Ugly in Cybersecurity – Week 28

The Good

This week, a major Business Email Compromise scam targeting Office 365 accounts has been stopped in its tracks. BEC or Email Account Compromises were responsible for the largest share of losses from internet–related crime last year. The fraudsters were using the COVID-19 pandemic as a lure, driving phishing traffic through six internet domains and using malicious web apps to gain credentials to victims’ Office 365 accounts.

The use of web apps is novel. Rather than using a cloned, phoney login page, the criminals asked the victims’ to give consent for the web app to access their accounts. Once an account takeover had been accomplished, the attackers used it as part of a scam to convince business leaders to authorize wire transfers to the attackers.

The scam, said to have been operating in over 62 countries, involved the use of the following malicious domains, now seized by Microsoft:

In other good news this week, the macOS security community took apart a combined ransomware/info stealer hiding in cracked software distributed via public torrents. Dubbed “EvilQuest” or “ThiefQuest”, the authors may have been hoping to copy the similar successful model seen in the Windows world of stealing data quietly in the background while noisily demanding a ransom for encrypted files in the foreground.

SentinelLabs broke the symmetric encryption used by the EvilQuest/ThiefQuest malware and released a public decryptor. It is also pleasing to see the Bitcoin address set up by the threat actors to collect funds hasn’t recorded a single transaction. The malware remains of concern for victims, however, as the separate data theft and backdoor components may have made off with sensitive data and could still be active if the device hasn’t been properly sanitized.

The Bad

A report out this week has found that cyber threats to operational technology systems through USB removal media devices have almost doubled in the last 12 months. Nearly half of all industrial locations surveyed in the report said they had detected at least one threat targeting their industrial process control networks. The report highlights the continuing prevalence of USB devices and their use as an attack vector, with 20% of the reported attacks said to be coming through removal storage devices. Among the objectives, the attackers were most interested in opening backdoors, establishing persistent remote access and delivering further malicious payloads.

The rise in USB-borne threats isn’t due to malware accidentally being transferred from one device to another, it was said, but rather a result of “deliberate and coordinated” attacks – like Disttrack, Duqu, Ekans, Industroyer and USBCulprit, among others – to leverage USB devices in targeting OT systems. The report serves as a timely reminder to all enterprise security teams of the importance of controlling removable media, including software-based USB devices.

The Ugly

At last count, there was something like 7.8bn people floating around on our small planet, but there are around double that amount of stolen account credentials circulating on hacker forums, with around 5 billion of those being unique, according to a new audit of the darknet. The massive cache of exposed data is a result of over 100,000 data breaches, which is a terrifying number of security failures to contemplate.

These credentials are for accounts ranging from social media, streaming, VPN and gaming sites to banking, financial services and even domain administrator accounts. Criminals looking to buy access to someone else’s online banking account, for example, may pay around $500 or less on the darknet; a domain admin account may be auctioned off to the highest bidder for anything from a few thousand dollars to over a $100,000, depending on the account.

Online credential theft and account takeovers are a booming industry, as cyber criminals engage in mass phishing campaigns with botnets, drop credential-stealing malware, and use techniques like credential stuffing and brute-forcing to steal passwords. As the report highlights, criminals are now collecting and selling access to digital fingerprint data such as cookies, IP addresss and timezones so that stolen credentials can be used without triggering a suspicious login alert from the service. Some darknet markets – Genesis Market, UnderWorld Market and Tenebris – were noted as places offering to rent out limited-time access to compromised accounts to other cybercriminals. These can be used for specific purposes such as laundering money, receiving emails or buying goods.

According to the researchers, the average person uses almost 200 online services that require passwords. With many users unaware of basic password security and many organizations failing to stop data breaches, it’s possible that today’s figure of 15 billion will seem like small change in a just few years time.