Cyber Pulse: Edition 107

Read the latest edition of Cyber Pulse, our round-up of cyber news.

Malicious spam is adapting to the pandemic

Phishing campaigns remain on the offensive as the Covid-19 pandemic continues on a global level. Researchers at Bitdefender reveals that attackers are adapting their messages to reach as many people as possible during this time. The majority of phishing campaigns use a blast approach through the use of zombie bot networks that send thousands of phishing emails to previously leaked emails in various data breaches.

Now with healthcare organisations, including hospitals, pharmaceutical companies and distributors of medical supplies in their sights, malicious emails are overflowing into other unsuspecting victims. Attackers have crafted a message that simply says the following:

“Your package has reached our warehouse and due to coronavirus outbreak, you will need to come to our warehouse to get it, check the attachment for details.”

This type of message isn’t going away and the cybercrime industry will seek to capitalise through the ongoing phases of this pandemic.

New Dell BIOS protection against attacks

Dell announced a new enterprise-level technology platform to protect the security of employees working from home, specifically a protection tool against BIOS attacks. This tool is the Dell SafeBIOS Events & Indicators of Attack (IoA). Dell said that due to the impact of the new coronavirus, many people are now forced to work from home, and cybercriminals are changing the way they work to destroy terminals and steal data.

This tool can quickly detect and identify changes in employee BIOS configurations. When an anomaly is detected, it will quickly report related events to the enterprise network administrator, so that the administrator can cut off the threatened terminal and continue to connect to the enterprise network architecture. After a security threat occurs, the administrator can also contact employees for disposal to ensure that attackers cannot steal key corporate information through employees working from home!

4 million credentials from Quidd found on dark webb

Researchers at Risk Based Security discovered a data breach on a prominent deep web hacking forum, which revealed email addresses, usernames and bcrypt hashed passwords for Quidd, an online company that deals in digital collectables from brands including Disney and DC Comics.

The use of bcrypt encryption will make commercial use of the credentials more difficult, but far from impossible. Many of the compromised accounts are linked to Microsoft, Virgin Media, Accenture, Experian and AIG. The leaked data is not yet up for sale, but currently, access is unrestricted on the dark web. Soon enough, cybercriminals will exploit this data and try their luck using the credentials to gain access to other accounts.

If you have a Quidd account and use the same password for other accounts too, change your password everywhere. And remember to not use the same password for multiple accounts.

IoT ‘dark_nexus’ botnet emerging

Cybersecurity researchers at Bitdefender have discovered a new emerging IoT botnet. The botnet, named "dark_nexus", works by employing credential stuffing attacks against a variety of devices, such as routers, video recorders and cameras, to co-opt them into the botnet.

So far, dark_nexus comprises at least 1,372 bots, acting as a reverse proxy. It's inspired by known botnets Qbot and Mirai.

"While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust," the researchers said. "For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim's configuration."

Its core modules are "mostly original" and it's frequently updated, with over 30 versions in the last three months.

Remote workers give up WebEx credentials

Emails purporting to be a Cisco “critical security advisory” are actually part of a phishing campaign trying to steal victims’ Webex credentials. The campaign urges victims to “update”, only to steal their credentials and leverage the wave of remote workers who, in the midst of the coronavirus pandemic, have come to rely on online conferencing tools like Webex (as well as Zoom and other platforms).

With this upward spike in online meetings, compromised Webex credentials could be a cybercriminal’s golden ticket into web conference calls where sensitive files and data are shared (among other malicious activities). The Cofense Phishing Defense Center (PDC) researchers said the phishing emails are being sent with various attention-grabbing subject lines, such as “Critical Update” or “Alert!” and come from the spoofed email address “meetings@webex[.]com”.

This is a mass “spray and pray” phishing campaign with “numerous end users” receiving and reporting the email from several industries, including the healthcare and financial spaces. The attackers behind this campaign appear to be meticulous in the details, right down to the URL linked to the “Join” button.

“The attacker has even gone as far as obtaining an SSL certificate for their fraudulent domain to gain further trust from end users,” researchers said. “While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate in the eyes of many users.”

Dutch Police takes down 15 DDoS-for-hire sites

In a press release, Dutch police said they have successfully taken down 15 DDoS-for-hire services in the span of a week, as part of one of their most successful crackdowns against online DDoS service providers. The DDoS-for-hire websites, also known as DDoS booters or DDoS stressors, allowed users to sign up and launch DDoS attacks against websites and other internet infrastructure.

Dutch authorities said the takedowns took place last week, and they received support from web hosting companies, domain registrars, Europol, Interpol, and the FBI. Authorities have not released the name of the 15 DDoS services.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.