Cybersecurity Week in Review: 1/18

Last week’s cybersecurity news features cybercriminals continuing to exploit the coronavirus—now by focusing on undermining vaccine efforts. Additionally, the FBI has issued a warning for corporations to be on the lookout for ‘vishing’ attacks, and new botnet malware dubbed ‘FreakOut’ is targeting vulnerable Linux devices.

Beware Vishing! ‘Voice phishing’ attacks on rise, warns FBI

The FBI released a private industry notification recently warning companies of an increase in ‘vishing’—that is ‘voice phishing’—in which cybercriminals use in-person social engineering to obtain sensitive corporate information and then infiltrate corporate systems and networks. The scam is targeting employees at larger firms in the US and abroad and takes advantage of both voice over IP (VoIP) platforms and chatroom messaging services.

The attack described in the FBI notification involves criminals contacting someone at the company and convincing the employee to sign into a fake website using corporate login credentials. Once the credentials are captured, the cybercriminals use them to gain access to the corporate network. In another instance described by the FBI, cybercriminals used a chatroom messaging service to access the official corporate chatroom. They then convinced the employee to sign into a fake VPN page, with the goal of locating additional employees with greater privileges, such as those with the authorization to change usernames and email addresses within a cloud-based payroll service.

In these types of attacks, it is not uncommon for the cybercriminal to pretend they are a member of the IT or accounting team. The FBI recommends that companies take the following steps to improve cybersecurity, including:

• Implement multifactor authentication (MFA)
• Apply the principle of least privilege
• Periodically review network access for all employees and delete old or inactive accounts
• Regularly review logs and engage in other types of system scanning for indications of unauthorized access or modifications
• Segment networks for better management

You can read the FBI advisory and learn more about these vishing attacks here and here.

Cybercriminals exploiting Covid—vaccines and healthcare under threat

As the Covid epidemic impacts people and businesses worldwide, cybercriminals sadly aren’t missing a beat in their efforts to destroy lives and incomes already under threat from this deadly virus.

Since March of last year, cybersecurity researchers have observed a growing number of Covid-related threats—from Covid-themed ransomware targeting hospitals and public health institutions to malware embedded in coronavirus-based documents, emails and websites. A major vaccine producer was also recently hit with a breach in which vaccine research data was leaked online.

In the latest sinister scam, cybercriminals are exploiting the much needed and anticipated vaccine roll-out. In a recent report, cybersecurity researchers found that during 2020, 12.5K domains containing the word “vaccine” had been registered worldwide—of which, approximately half (6,104) were found to be malicious, suspicious and live on the internet. A number of the sites possessed email capabilities, presumably to enable the cybercriminals to distribute fake vaccine phishing or Covid-themed malware campaigns.

In addition, researchers have discovered a dramatic uptick in the number of new domain registrations targeting the major vaccine drug manufacturers. These domain names often involve a technique called ‘typosquatting’ in which the criminal intentionally uses typos in the domain name to make it resemble an actual word or phrase. Because the human eye is capable of reading text that contains typos (a cognitive effect that is sometimes called “typoglycemia”), humans tend to miss the mistakes. Examples of typosquatting can involve replacing similar looking letters—such as a lower case “l” for a lower case “i” for (e.g. vacclne instead of vaccine), intentionally misspelling a name—for example “vacine” or “vaccnie” instead of “vaccine,” or using a legitimate pharmaceutical corporation name as part of the fake domain address.

In addition, researchers have found at least one website claiming to sell not-fully-tested vaccines from a Chinese life sciences company. (The offer even includes free shipping!) While the vaccine itself is legitimate, the website is not. The domain is registered in Panama through a service that conceals the identity of the domain owner. (The address and phone number listed on the fake website are the same as a ‘waterless’ car wash service and a talent management firm.) The legitimate vaccines also require refrigerated temperatures, making shipping impossible without specialized containers.

Additional Covid vaccine website scams include:

• Selling home kits containing raw ingredients to produce your own vaccine
• Fake websites where you can get on a ‘priority’ list to jump the vaccine line, including several sites where you ‘pay’ for this benefit
• Sites claiming to sell “extra” vaccine inventory
• Sites selling alternative vaccines
• Websites that are intentionally spreading false information or news to convince people to not get vaccinated

You can read more on the various criminal cyberthreats associated with coronavirus and the Covid vaccines here and here.

Cybercriminals want you to ‘FreakOut’

Threat actors are currently engaged in a new malicious campaign targeting vulnerable Linux devices. The intent of the campaign is to infect machines currently running unpatched versions of the TerraMaster operating system, the Zend Framework or Liferay Portal with the FreakOut malware. All three types of software have a large user base and have recently corrected critical vulnerabilities, specifically CVE-2021-3007 (Zend Framework), CVE-2020-7961 (Liferay Portal), and CVE 2020-28188 (TerraMaster). The vulnerabilities enable remote code execution (Zend and Liferay) or complete device control (TerraMaster).

Once infected with the FreakOut malware, the devices connect to a botnet designed to help deploy additional attacks. The botnet is also capable of mining for cryptocurrency, spreading laterally across a corporate network or redirecting efforts at other corporate targets while impersonating the compromised company.

The malware itself has capabilities that include port scanning, network sniffing, information gathering or launching distributed denial-of-service (DDoS) attacks.

In digging through earlier versions of the malware script, researchers have been able to discover details about the malware author and the infected systems, including information that suggests that the current FreakOut malware has its foundations in an earlier version promoted in 2015.

While the botnet is in the early stages of expansion, researchers warn that they expect significant growth in a short period, with potentially more damaging attacks on the horizon.

You can read more on the FreakOut malware here.

Final Words

Cybersecurity can be a constant battle to find the right mix security solutions to detect threats and protect mission-critical assets and resources. In the case of the ‘vishing’ attacks mentioned above, the FBI recommendations are all core components of zero trust—such as MFA, least privilege, continual validation and verification of those connecting to and accessing corporate networks, network segmentation (sometimes called ‘microsegmentation’) and the regular review of logs and system scanning for indications of malicious activity.

Threat actors will exploit assets and resources whenever and however they can. This is why it is important to understand key approaches, like zero trust, and be willing to invest and adapt in these new approaches, architectures, tools and technologies as they become available.