In this issue of Cybersecurity Week in Review, we’ll take a look at some clever malware, including a remote access trojan (RAT) used for SEO poisoning and a newly discovered malware purposely created to block software pirating. We’ll also explore the details behind two sizeable corporate data breaches and several alerts about increases in dangerous phishing attacks.

• This Week in Malware: RAT Poisoning, Software Pirates, and MooBot
• Data Breaches: Billions of Records Exposed in Two Significant Data Breaches
• Phishing: Microsoft Stops BEC Attack; Criminals Using Google Docs in Phishing
• Final Words

This Week in Malware: RAT Poisoning, Software Pirates, and Moobot

What You Need to Know

Microsoft is warning businesses about a RAT called SolarMarker used for SEO poisoning. Researchers have also discovered malware that prevents access to piracy websites. And security professionals are warning of a new type of malware actively targeting Tenda routers.

Summary

Microsoft Warning of SolarMarker Malware RAT

Last week, Microsoft announced it was tracking SEO poisoning attacks that infected targets with a remote access trojan. The RAT appears to be capable of stealing information and back-dooring systems.

Dubbed ‘SolarMarker’ (also called Jupyter, Polazert, and Yellow Cockatoo), researchers first observed the threat in April inundating search results with at least 100,000 malicious web pages, based on search terms such as ‘office templates’ and ‘office forms.’ When the victim went to the website and tried to download the form, they instead received the remote access trojan.

In the current threat observed by Microsoft, threat actors have turned to stuffing keywords into PDF documents hosted on AWS and Strikingly. The attacks appear targeted at the financial and education sectors. The keywords range from ‘acceptance contract’ or ‘insurance form’ to ‘math answers’ and ‘how to join in SQL.’ Once the victim arrives at the documents, they are prompted to download additional malicious PDFs and then redirected to multiple malicious websites where the final payload is delivered.

Once downloaded, the RAT harvests data from an infected system and then delivers it to a command-and-control (C2) server. It gains persistence by installing on the start-up folder and then modifying shortcuts on the target system.

The developers of SolarMarker are believed to be Russian-based cybercriminals, as many of the C2 servers are located in Russia.

Raise the Jolly Roger! Malware Attacking Software Pirates

Some malware developers appear to have turned the tables on software pirates. Security researchers recently discovered a particular malware that, once downloaded, prevents access to websites known for hosting pirated content, including software. 

According to researchers, the developer of this particular malware distributes it through Discord or pirated software torrent sites, such as The Pirate Bay. (Threat actors are known for using sites like The Pirate Bay to host and deliver information-stealing trojans, ransomware, or cryptominers in the guise of ‘free’ software or movies.) The malware–distributed through torrent sites and on Discord–actually pretends to be pirated software itself. Once the target downloads and installs the malware, the malware modifies the HOSTS files to prevent the target from visiting sites like The Pirate Bay. The malware also appears to connect to a remote host, sends the name of the pirated software the target attempted to download, and then delivers a secondary payload, which adds to the list of web domains that the target is now prevented from visiting.

Researchers currently speculate that the information collected by the malware could be used for extortion or shared with ISPs or law enforcement.

MooBot Mirai-variant Targeting Tenda Routers

A variant of the Mirai botnet, known as MooBot, is attacking Tenda-brand routers for a known vulnerability. Researchers first discovered the campaign (dubbed Cyberium) after noticing a spike in scanning for Tenda routers. The targeted vulnerability (CVE-2020-10987) can allow remote code execution (RCE). The threat actors and infrastructure behind the Tenda scans also appear to be looking for other vulnerable systems, including Axis SSI, Huawei home routers (CVE-2017-17215), and Realtek SDK Miniigd (CVE-201408361). Scans also included searches for a DVR scanner using default credentials for the Sofia video application.

The MooBot malware appears to be connected to distributed denial of service (DDOS) attacks. The criminal gang behind Cyberium has been active for approximately one year.

Next Steps

A variety of tools and services can provide malware protection, including cloud security, endpoint security and email security. As workloads increase among already stretched security staff, organizations can also improve cybersecurity and malware protection by using managed security services. Organizations are also encouraged to patch vulnerable systems frequently and engage vulnerability management and penetration testing services.

Data Breaches: Billions of Records Exposed in Two Significant Data Breaches

What You Need to Know

Security researchers discovered billions of records associated with a major drugstore chain exposed in a database. And a large international cruise line announced that it had detected a breach of its systems, also resulting in customer and employee data exposure.

Summary

Major Drugstore Retailer Database Exposed

Misconfigurations seem to have left a large database containing billions of records related to customers’ medical and search activity exposed. According to researchers, the information in the large US-based drugstore, pharmacy, and health retailer’s database contained records of visitors’ activities on the company’s website, including data on the visitor ID, session ID and device information (e.g., iPhone, Android or iPad). No identifiable health or personal information appears to have been exposed. The drugstore/health company has since secured the database.

Large International Cruise Line Breached

A large, well-known cruise line operator announced last week that it had detected a breach of its systems, which resulted in the exposure of customer and employee data. The cruise ship operator (whose holdings include three major cruise lines) has secured the affected systems and does not believe that the exposed data is being misused.

Next Steps

Data privacy is a critical issue for organizations. To protect data, businesses are encouraged to use data security services as well as vulnerability management services and penetration testing to ensure that systems and databases are configured properly.

Phishing: Microsoft Stops BEC Attack; Criminals Using Google Docs in Phishing

What You Need to Know

Microsoft has disrupted a large business email compromise (BEC) campaign, and cybercriminals are turning to Google docs to host phishing attacks

Summary

Microsoft Halts BEC Campaign

In a recent attack thwarted by Microsoft, cybercriminals stole credentials using a phishing email, voice mail, and an HTML attachment designed to look like the Microsoft login page. The stolen credentials were then used to log into a victim’s email and create forwarding rules that would offer access to emails containing financial information. During their research, security professionals at Microsoft observed hundreds of compromised email boxes from numerous businesses.

The campaign appears to have been run on a ‘robust’ cloud-based infrastructure with automated attack features. The cybercriminals focused on high-value targets, creating the forwarding rules, and monitoring the victim’s inbox. The attackers also obfuscated their activities through the use of different IP addresses and timeframes for attack.

Google Docs Used in Phishing Attack

Cybercriminals are leveraging Google Docs to facilitate a phishing campaign which delivers malicious links aimed at stealing credentials.

According to security researchers, criminals initiate the attack with an email containing language and links that seem to be relevant to individuals using Google Docs in their corporate environment. When clicked, the link takes the victim to a page that looks similar to the one necessary to share a Google Doc with an individual located outside the organization. The page redirects to a malicious phishing site that captures the user’s Google login credentials.

Next Steps

Phishing attacks, including business email compromise, whaling, spear-phishing, and clone phishing, are still a common attack technique for cybercriminals. Businesses are encouraged to use anti-phishing services as well as email security technology to protect their employees and data from attack.

Final Words

With constant news related to ransomware and malware, it is all too easy for businesses to become focused on securing their company from these prominent threat types, while giving less attention to the threat types not making national news, such as phishing and misconfigurations. 

According to research released in 2021, phishing is present in more than 1/3 of all breaches, up 11 points from 2020. Additionally, more than 60% of all breaches involve credential data. The research further states that 70% of all breaches are the result of privilege abuse.

With phishing, misconfigurations, and privilege abuse still dominant reasons behind system breaches, it is critical for businesses to recognize the importance of phishing protection, tools to help manage and detect misconfigurations (such as IoT platform assessments), and policies that support privileged access management. 

Organizations are also reminded:

• Don’t provide personal or financial information or information about your organization, including its structure or networks in an email or to any unverified or unauthorized individual.
• Pay attention to the URL when inputting information into login screens and always verify that the website is correct and legitimate. Access the website by typing the known URL on your own instead of relying on a link sent via email. 
• If the legitimacy of an email request is unknown, verify the request by contacting the company sending the request directly. Do not use the contact information provided in the email content or links.
• Apply zero trust principles, identity and access management, and multi-factor authentication.

Better security isn’t about one tool, technology, policy, or task force. It’s a team effort involving internal and external security professionals, employees, and researchers all working together to better understand and combat cybercrime.