The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- Emotet resurfaces. The infamous malware has reappeared.
- FBI email attack. Attacker exploits misconfiguration in FBI portal.
- Costco theft. Costco alerts customers after physical payment card skimmer found in store.
- Alibaba vulnerability. Alibaba Cloud instances targeted by cryptomining malware.
- Be WordPress wary. Fake ransomware campaign targets WordPress websites.
- SharkBot trojan on the hunt. This new banking trojan can bypass multi-factor authentication.
1. Emotet rises from the dead
The infamous Emotet has resurfaced in the wild. Originally deployed in 2014 to steal online banking credentials, Emotet evolved into a sophisticated malware-dropper. Emotet’s proliferation was curtailed in January 2021 after a Europol-led international operation seized control of its supporting infrastructure.
Signs of Emotet’s return were identified via a new email spamming campaign. The campaign involves phishing emails with malicious Word and Excel file attachments, which, if opened, install Emotet’s payload.
While Emotet’s resurgence is in the early stages, its supporting infrastructure has already doubled, suggesting its return could be quick. Close monitoring of the malware’s evolution is advised.
SO WHAT? Ensure your perimeter firewalls block these malicious command-and-control servers, and do not open Word or Excel attachments sent from untrusted sources.
2. Attacker exploits FBI software misconfiguration
Thousands of emails were sent on behalf of the US Federal Bureau of Investigation (FBI) after an attacker exploited a software misconfiguration in its Law Enforcement Enterprise Portal (LEEP). Although separate from the FBI corporate email system, the compromised server was responsible for pushing LEEP notifications.
The threat actor claiming responsibility also took credit for the recent data breach impacting the Robinhood stock trading platform. The threat actor accessed data belonging to millions of users, and is now advertising the sale of data on the dark web.
SO WHAT? These attacks highlight not only the continued vulnerability and value of user data to attackers, but also the ability of attackers to add extra weight to their attacks through mimicking well-known and trusted entities, such as the FBI.
3. Physical card skimmer used to steal Costco customer data
Costco Wholesale Corporation (Costco), the fifth-largest retailer worldwide, has notified customers that their payment card information might have been compromised whilst shopping at one of its stores.
Costco discovered a physical payment card skimmer that had been planted at one of its stores, allowing unauthorised parties to acquire customer payment card details. Once acquired, an attacker can use swiped data to create new, fraudulent cards.
SO WHAT? Despite rises in digital card theft from e-commerce sites, organisations should still perform regular checks for and implement protective measures against physical card skimmers.
4. Alibaba ECS instances targeted for cryptojacking
Threat actors are actively targeting Alibaba’s Cloud Elastic Computing Service (ECS) instances for illicit mining of Monero cryptocurrency. Reports indicate threat actors are leveraging the absence of different privilege levels on Alibaba ECS instances. Threat actors that obtain basic login credentials can automatically obtain root access to the ECS instance.
SO WHAT? Cloud service providers and their customers must be clear on which aspects of cloud security they are responsible for. Users should ensure that security configurations are in line with the principle of least privilege.
5. WordPress users targeted by fake ransomware
A fake ransomware campaign has targeted nearly 300 WordPress sites. Threat actors are trying to coerce website owners into paying a ransom by displaying a fake encryption notice. The illusion of encryption is created by an installed plugin that causes blog posts to go into an unpublishable state.
Threat actors are gaining initial access to the websites via an administrator account. The account's associated privileges are then leveraged to carry out the attack.
SO WHAT? Administrator accounts are the crown jewels of an organisation. At a minimum, ensure admin accounts have a unique username, a strong and complex password, and multi-factor authentication (MFA) enforced.
6. SharkBot banking trojan on the hunt
A new Android banking trojan, dubbed SharkBot, has been identified in the UK, Italy, and the US. SharkBot aims to initiate money transfers from compromised Android devices by using the Automatic Transfer System (ATS) technique. This technique enables attackers to automatically fill fields in legitimate mobile banking apps and bypass MFA.
At present, no samples of the malware have been found on Android’s Google Play Store. Instead, it has been installed on devices through social engineering schemes and from illegitimate app stores.
SO WHAT? Employees must only install apps that have been reviewed and approved by their IT team. Organisations should also have a strict Bring Your Own Device policy in place.