Microsoft Phishing Scam Exploits Iran Cyberattack Scare
Today is Wednesday, January 8th, 2020 and here are today’s most pressing cyber stories in under 5 minutes.
Microsoft Phishing Scam Exploits Iran Cyberattack Scare
An attacker is attempting to take advantage of the recent warnings about possible Iranian cyberattacks by using it as a theme for a phishing attack that tries to collect Microsoft login credentials.
With the rising escalations between the United States and Iran, the U.S. government has been issuing warnings about possible cyberattacks by Iran and potential attacks on critical U.S. infrastructure.
To take advantage of this increased tension, an attacker has created a phishing scam that pretends to be from 'Microsoft MSA' and has an email subject of 'Email users hit by Iran cyber-attack' warning that Microsoft's servers were hit by a cyberattack from Iran.
The phishing email goes on to say that in response to this attack, Microsoft was forced to protect their user by locking their email and data on Microsoft's servers. To gain full access again to this locked data, the phishing email says that the recipient must log in again.
FBI Investigating How Town Defrauded of $1 Million
The FBI and local police are investigating how scammers posing as a contractor for a local bridge project tricked officials in a small Colorado town into electronically transferring over $1 million to a fraudulent account, according to the Denver Post. The town of Erie, population 18,000, is still attempting to recover the funds via its insurance coverage, the Post reports. Town officials and the FBI did not immediately reply to a request for comment.
A Dec. 30 internal email sent by Malcolm Fleming, the town administrator for Erie, says that it appears the scam started when a fraudster completed an electronic form posted on the town's website requesting a change in how SEMA Construction, the primary contractor for a local bridge project, would receive payment for its work, according to the Post. The requested change was to receive payments via electronic funds transfer rather than by check, according to the local ABC affiliate, which also reviewed the town manager's message.
While the Erie town staff checked some of the information on the form for accuracy, they did not verify the authenticity of the submission with SEMA Construction, according to the television station. Instead, local officials accepted the form and updated the payment method, according to that news report.
Pulse Secure Says Critical April 2019 Patch Protects Against Sodinokibi Too
some attackers have been targeting Active Directory credentials as part of their ransomware-infection efforts, as well as using Virtual Network Computing to remotely control PCs, and the free PsExec command-line tool for remotely executing processes on local systems.
"Earlier this week I've seen two notable incidents where they believed Pulse Secure was the cause of a breach, and used to deliver Sodinokibi," he wrote. "In both cases, the organizations had unpatched Pulse Secure systems, and the footprint was the same - access was gained to the network, domain admin was gained, VNC was used to move around the network (they actually installed VNC via PsExec, as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via PsExec."
On Saturday, Troy Mursch of Chicago-based threat intelligence firm Bad Packets reported that his internet scans have identified 3,825 Pulse Secure VPN servers that remain at risk because they have not been updated with a patch to fix a critical vulnerability, designated CVE-2019-1150.
"Several thousand Pulse Secure servers are still online, including extremely high-profile U.S. and U.K. companies," some of which are telecommunications firms and managed service providers, Beaumont tweeted on Saturday. "Patch."
The patch for Pulse Secure VPN servers - as with critical patches for VPN servers built by Fortinet and Palo Alto that have also required updates to fix serious flaws since last year - has been available for months.
"Pulse Secure publicly provided a patch fix on April 24, 2019, that should be immediately applied to the Pulse Connect Secure (VPN)," Scott Gordon, chief marketing officer at Pulse Secure, says in a statement. "The CVE-2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit. As we have communicated earlier, we urge all customers to apply the patch fix."
Malicious Google Play Apps Linked to SideWinder APT
Researchers have discovered an attack exploiting CVE-2019-2215, which leverages three malicious apps in the Google Play store to compromise a target device and collect users' data.
This threat is linked to the SideWinder advanced persistent threat (APT) group, report Trend Micro's Ecular Xu and Joseph Chen in a blog post. Sidewinder, a group detected by Kaspersky Labs in the first quarter of 2018, primarily targets Pakistani military infrastructure and has been active since at least 2012. Security researchers believe the threat group is associated with Indian espionage interests and has a history of targeting both Windows and Android devices.
CVE-2019-2215 was disclosed in October 2019 by Maddie Stone of Google's Project Zero. The zero-day local privilege escalation vulnerability affected hundreds of millions of Android phones at the time it was published. A patch was released in December 2017 for earlier Android versions; however, a new source code review indicated newer versions of the software were vulnerable.
The use-after-free vulnerability is considered "high severity" and requires a target to download a malicious application for potential exploitation. An attacker would have to chain CVE-2019-2215 with another exploit to remotely infect and control a device via the browser or another attack vector. The bug allows for a "full compromise" of a vulnerable device, Stone explained.
While it was "highly likely" the bug was being used in attacks last October, this marks the first known active campaign using it in the wild, Xu and Chen report. This particular vulnerability exists in Binder, the main interprocess communication system that exists in Android, and the three malicious apps used in the attack were disguised as photography and file manager tools.