Part of protecting the CTRL Community is to promote good security practices and raise awareness of current security trends. CTRL Group hope this will bolster your overall understanding of cybersecurity attacks across the globe. In 2022, CTRL Group’s Security Operations Centre continue to monitor the ever-evolving threat landscape 24/7; observing breaches and critical security incidents.
Below are recommended mitigation actions by CTRL Group.
Malicious QR Codes Stealing Login and Financial Data
QR codes have become an everyday aspect as we entered the ‘COVID-19 era’. There has been a reported 94% growth in the number of interactions from 2018 to 2020 as businesses from multiple sectors across the world utilise QR codes for check-in and ordering purposes.
However, all technological developments also provide an opportunity for cybercriminals and nation-state actors to perform illicit actions. A recent threat notice alert from the FBI states that scammers are actively exploiting QR codes to lure victims into giving away their confidential data.
According to the FBI, these nefarious actors use malicious QR codes that reroute customers to specific malware-embedded websites to steal customers’ data or to access their devices and redirect payment into their own accounts.
The method used by these scammers to perform this attack involves using modified QR codes either digitally or on a printed page. When a victim scans the QR code, thinking it is legit, the tampered code directs victims to the malicious website that prompts them to enter login credentials and financial information, that is directly going to the attackers.
The increased popularity of QR codes has also seen other types of attacks around it – last year a mobile application with over 10 million downloads was removed from Google’s Play Store after it was reported to be conducting malicious activities, and more recently several other QR code apps were also found to be infected with malware, after over 500k users from around the world have to download them.
CTRL Group recommend the following mitigation strategies:
- Only scan QR codes from places you trust, and do not scan randomly found ones.
- Never enter your personal information in a website without running necessary checks – that this is the in fact the site you were expecting when scanning the code, that its design and content match the required service, etc. If possible, ask the business if this is in fact the correct page to enter your details to.
- Avoid downloading an app via a QR code, instead try to use an official app store, like Google’s Play Store or Apple’s App Store, to download applications.
- Do not download a QR code scanner app, as almost every phone comes with a built-in scanner. If possible, do not pay or insert your financial data via a website accessed through a QR code. Instead, manually enter the URL and cross-check the address before completing the payment.
Elephant Beetle Targeting Financial Organisations
The renowned cyber security company, Sygnia, has recently published a report about a financially motivated actor, dubbed ‘Elephant Beetle’, that is stealing millions of dollars from organisations. The group uses Spanish file names and most of its servers’ IP addresses are based in Mexico, with an arsenal of over 80 unique tools and scripts.
This attack group is highly sophisticated ways and patient, spending months at a time to study the victim’s specific environment and financial transaction processes before moving on to exploit flaws in its network. Their methods consist of inserting fraudulent transactions into the network to steal small amounts of money over long periods of time, which makes it challenging to discover. These small withdrawals can result in the overall sum of millions of dollars.
Elephant Beetle’s expertise and their common entry point for corporate networks appear to be targeting legacy Java applications on Linux systems.
Sygnia researchers have been tracking the threat actor for over two years and noticed they prefer to target known and likely unpatched vulnerabilities rather than developing their own zero-day exploits or purchasing these on the dark web. Some of the most used vulnerabilities by Elephant Beetle enable the attacker to execute arbitrary code remotely – CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326 and others.
To hide their activity in the network, Elephant Beetle mimics legitimate packages, disguise web shells. After gaining initial access, the attackers use a custom Java scanner that is highly versatile and try to move laterally across the network to gain more privileges.
CTRL’s Team of security experts recommend the following remediating strategies:
- Implement and verify segregation between DMZ and internal servers.
- Avoid using the ‘xp_cmdshell’ procedure and disable it on MS-SQL servers. Monitor for configuration changes and the use of ‘xp_cmdshell’ in your environment.
- Monitor for WAR deployments and validate that the packages deployment functionality is included in the logging policy of the relevant applications.
- Hunt for the presence and creation of suspicious .class file in the WebSphere applications temp folders.
- Monitor for processes that were executed by either web server parent services processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’) or by database-related processes (i.e., ‘sqlservr.exe’).
- Perform a search in your network for the IOCs mentioned in Sygnia’s report.
Brace for Data-Wiping Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has recently released a bulletin, warning organisations to bolster their cybersecurity defences from data-wiping attacks that have recently been seen targeting Ukrainian entities – both from the government and private sector.
Earlier this month, multiple, coordinated attacks were conducted against Ukrainian targets as data-wiping malware was deployed, causing devices to become inoperable, and websites were defaced. Authorities believe the attacks were performed using CVE-2021-32648 in the OctoberCMS platform alongside Log4Shell vulnerabilities and stolen credentials. There are also reports of a supply-chain attack via a local IT services company.
Ukraine is pointing the blame towards Russia, as part of the escalating crisis between the two countries over the recent months, as rumours of a possible Russian invasion is looming.
CISA now warns that similar attacks could be performed against organisations outside of Ukraine as well and encourages business leaders to take steps to prevent similar attacks against their organisations.
The suggested steps are recommended to prevent other types of attacks as well, such as ransomware.
- Validate that all remote access to the organisation’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritising updates that address known exploited vulnerabilities.
- Confirm that the organisation’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If you are using cloud services, ensure that IT personnel have reviewed and implemented strong controls.
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour. Enable logging in order to better investigate issues or events.
- Confirm that the organisation’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organisations, take extra care to monitor, inspect, and isolate traffic from those organisations; closely review access controls for that traffic.
- Conduct tabletop exercises to ensure that all stakeholders understand their roles during an incident.
- Test backup procedures to ensure that critical data can be rapidly restored if the organisation is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organisation’s network is unavailable or untrusted.
Please see the full bulletin for the list of CISA’s recommended actions via this link.
