A Month In Breaches: December

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

 

Star Wars Phishing Scam

Fraudsters and scammers are always waiting to take advantage of anything that breaks the internet. This time it was the much-awaited movie, Start Wars: The Rise of Skywalker. Phishers are luring the users into malicious downloading of the latest Star Wars movie. Kaspersky researchers have found 30 phishing websites (though the actual number could be much higher) that are providing thorough descriptions, pirated movie and supporting content related to the film, after it gathers all the personal information from the victims. The domains are also used in downloading malicious files that can harm the computers. Hackers have used a technique called Black SEO, in which phishing websites are promoted high up in the search engine results. 83 users have so far been the victim of this wind.

As attackers try to be more spontaneous and capitalise on trending topics and issues, users should be more aware and cautious. Kaspersky recommended that Star Wars fans make an effort to pay attention to the official movie release dates in theatres, on streaming services, TV, DVD, or other sources and avoid links promising an early or free view of a new film. CTRL Group does not recommend clicking on or downloading any free movie streaming link as it might be disguised as a malicious .exe file.

 

Citrix Bug Jeopardizes 80000 Companies (CVE-2019-19781)

Citrix has announced a critical weakness in the Citrix Application Delivery Controller (ADC) and Citrix Gateway which if exploited could allow attackers to gain unauthorised remote access to an organisation’s LAN network and carry out arbitrary code execution. The exploitation does not require access to any internal accounts, hence can be initiated by external entities easily. Technical details of the bug has not been provided by Citrix but it is confirmed that the vulnerability will affect all supported product versions and platforms (including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5).

Citrix had urged their affected customers to immediately apply the provided partial mitigation measures for standalone systems and clusters. These mitigations can be found here. The users are requested to update all their vulnerable appliances to a patched version of appliance firmware as soon as they are made available. CTRL Group recommends using Intrusion Detection Systems to monitor accessible links.

 

German cities under attack by Emotet botnet

The German city of Frankfurt am Main was attacked by the Emotet botnet. As a result of this, computer systems used by the city’s services had to be temporarily taken offline. Similar cyberattacks were also faced by three organizations in other German cities – the Justus Liebig University in Gießen, the city administration of Bad Homburg, and the Catholic University in Freiburg. Emotet is malware designed to install other malicious software on infected devices. It is distributed primarily via phishing emails that include links to websites hosting malicious content or malicious attachments (PDF or Microsoft Word documents). PDF documents contain links to malicious sites and Microsoft Word documents have embedded macros and include instructions on enabling them. Frankfurt was hit the hardest of all Emotet attack victims: as a result of the infection, all computer systems and services of the city were taken offline, including its website and public transport ticketing service.

Frankfurt’s IT systems became infected after an employee opened a malicious email attachment. The computers have been shut down to remove Emotet as quickly as possible and prevent any future ransomware attacks. Educational institutions affected by this malware consist of 38,000 students and staffs whose accounts password were reset and new passwords were issued. Phishing emails are predominantly the root cause of a ransomware. Employees should be vigilant of emails they are opening. If any suspicious emails are seen, the IT team must be alerted. It is important to not open the suspicious emails, or any attachments or links associated to it. CTRL Group also suggests having an incident response plan that includes what to do during a ransomware event.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK