Login

Register

Login

Register

#cybersecurity | hacker | Upgraded malicious Word, Excel attachments targeting WFH employees


Cybercriminals are updating their tactics when it comes to using malicious attached Microsoft Word and Excel documents to not only fool the human recipients, but a device’s security software.

An increase in the number of Excel spreadsheets being used to deliver the LimeRAT remote access trojan using the VelvetSweatshop default password has been tracked by Mimecast. At the same time Securonix has spotted ransomware being spread using weaponized COVID-19/coronavirus-related documents and emails with the intention of disrupting critical healthcare and other businesses’ operations.

Combining LimeRAT with VelvetSweatshop is a particularly unwelcome and powerful technique as it enables the malicious document to appear legitimate to the receiving system by using encryption, Mimecast reported The threat actors are taking advantage of an existing Excel security measure that enables a spreadsheet to be password protected, essentially encrypted, requiring the recipient have the password.

This threat
was uncovered by Mimecast Threat Center’s Doron Attias and Tal Dery.

Unfortunately, there is a flaw in the Excel system that can bypass the need for a password to be input that can let a malicious document slip in. Upon being opened the document first checks to see if the embedded default password VelvetSweatshop is still in use. If so, it uses that key to open the malicious document and download the malware.

However, even if the user has swapped in a new password the attacker has the option of opening a new window asking the recipient to enter their password. If the person is fooled and does so LimeRAT is injected. Once on board LimeRAT allows the attacker to deliver ransomware, a cryptominer, a keylogger, or create a bot client.

Securonix spotted
the COVID-19 ransomware attacks while monitoring new threats being used against
employees who now find themselves working from home.

The ransomware being used against healthcare facilities and critical business operations uses a socially engineered phishing attack that presents itself as a COVID-19 situation report. The document, in fact, carries a new variant of SNSLocker and upon being opened immediately begins encrypting files and demanding a .35 bitcoin ransom payment.

Another version of the attack is also spread via a particularly egregious phishing email, this time containing a note telling the person they have the Coronavirus. The email states it is from a specific hospital and may say where it is believed the person was infected.

This variant replaces SNSLocker with one of several info stealers that are capable of finding and removing web browser cookies, enumerate system information and shares, stealing cryptocurrency wallets and then exfiltrating stolen information.

Defending a
company from these attacks follows the same basic principles as with any
phishing attacks. Employees must be instructed to scrutinize all emails and not
download any suspicious documents. Additionally, all systems must be updated
and patched for any known vulnerabilities. On the IT side, admins should monitor
network traffic for outbound connections to likely command-and-control services,
Mimecast said.

Securonix has
several additional recommendations:

  • Unusual severity
    event for your VPN server device
  • Account authentication
    from a rare geolocation
  • VPN connection from
    anonymous proxy
  • Connection to a
    rare domain for a peer group followed by an executable download
  • Landspeed anomaly
  • Emails from
    typosquatted domain
  • Abnormal number of
    emails sent to a rare external recipient
  • Abnormal amount of
    data sent to a rare external recipient
  • Unusual VPN session
    length
  • Unusual amount of
    data for VPN session compared to peers
  • Unusual sensitive
    data access increase for a user



Original Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW