Cyber Pulse: Edition 125 | 17 August 2020

Here is our cyber security news round-up of the week:

Water Nue BEC gang targets financial executives

Researchers report that a business email compromise (BEC) gang has targeted financial executives at more than a thousand companies around the world since March 2020. The group, dubbed Water Nue, uses spear-phishing emails that direct recipients to spoofed Office 365 login portals. After compromising an Office 365 account, the attackers will send "emails containing invoice documents with tampered banking information... to subordinates in an attempt to siphon money through fund transfer requests." The attackers rely on public cloud services to host their infrastructure, and they use legitimate cloud-based email distribution services to send their phishing emails. While the Water Nue gang isn't technically sophisticated, its techniques have been effective. So far, they've successfully stolen credentials from more than 800 of their targets.

NCSC issues celebrity scam alert

The UK's National Cyber Security Centre (NCSC) has issued a warning that criminals are stealing money from people with get-rich-quick schemes using phoney celebrity testimonials, and it's cost victims hundreds of millions a year. More than 300,000 malicious links advertising fake get-rich-quick schemes designed to trick people into handing their money to cyber criminals have been taken down in a crackdown by the NCSC.

The scams see fraudsters attempting to lure people into making bogus investments using false endorsements from celebrities such as Sir Richard Branson, suggesting they've made millions by buying and selling bitcoin or other cryptocurrency. Links to the scams are promoted in fake news articles on pages designed to look like they're being published by the real website of an actual newspaper or other legitimate publications. The articles, which are distributed by phishing emails and paid-for digital advertising, aim to trick victims into giving away their money or bank details to cyber criminals. Many of the scams were taken down after being reported to the NCSC's Suspicious Email Reporting Service, which has now received over 1.8 million reports of potentially criminal behaviour since being launched in April this year.

The Financial Conduct Authority says investment scams cost the public over £197m in 2018 alone and the NCSC is working with the City of London Police to help warn the public about the dangers posed by the schemes. Commander Clinton Blackburn of the City of London Police says:

"These figures provide a stark warning that people need to be wary of fake investments on online platforms. Celebrity endorsements are just one way that criminals can promote bogus schemes online. Criminals will do all they can to make their scams appear legitimate. It is vital you do your research and carry out the necessary checks to ensure that an investment you are considering is legitimate."

NSA and FBI issue a joint report on GRU malware

The US National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) on Thursday issued a very detailed joint report on a previously undisclosed set of Linux malware dubbed "Drovorub", which the report attributes to the Russian GRU's 85th Main Special Service Center (GTsSS), military unit 26165, more commonly known as APT28 or Fancy Bear. Drovorub consists of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. The malware can download and upload files, execute commands as root, and set up port forwarding with other systems on the network. The report offers comprehensive technical analyses of each component of the toolset, and it's detailed enough to suggest that the US has extensive visibility into GRU operations.

Interestingly, the report says "Drovorub", which translates to "woodcutter", is the name the GRU operators themselves assigned to the malware. Dmitri Alperovitch points out that "drova" is slang in Russian for "drivers" – as in kernel drivers. So the name likely was chosen to mean "(security) driver slayer".

Many observers expressed surprise and appreciation at the high level of detail in an NSA publication. The report states, "The release of this advisory furthers NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defence information systems, and the Defence Industrial Base, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders."

Spain sees increased tax scams

On 11 August 2020, many Spaniards were receiving emails claiming to be from the Spanish tax agency, Agencia Tributaria. These messages were using false sender information like “Servicio de Administración Tributaria” and the email address contato@acessofinanceiro[.]com in order to trick the recipients into believing they had received official communication from the tax agency. The link redirects to a domain that was registered on the same day, 11 August. However, looking at the information provided by whois – a service that provides identifying information about domain name registrants – the registrant’s country is listed as Brazil, which could perhaps indicate the whereabouts of the operators of this campaign.

Researchers also observed a few campaigns of Mekotio, another Latin American banking trojan, being distributed the same way only a few days later. The infection chain in this campaign is typical for Latin American banking trojans. First, the file to be downloaded has been placed by the malicious operators either on a compromised domain, or in a cloud storage service like Dropbox. In such cases, the link in the email spam directs the recipient to a Dropbox link from where the ZIP file can be either opened or saved. Impersonating Spain’s Agencia Tributaria or other similar agencies is an old trick in the attackers’ book and has been used for a long time, especially during tax season. However, even when high season for income taxes has already concluded, this year has seen this technique being used by Latin American banking trojans and other threats specialised at stealing data.

American university pays ransom to hackers

The University of Utah has agreed to pay nearly half a million dollars to thwart bad actors from publicly disclosing stolen information during a ransomware attack that took place last month. The news was revealed after the university released an official statement regarding the security incident.

“On Sunday, July 19, 2020, computing servers in the University of Utah’s College of Social and Behavioural Science (CSBS) experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible. The university notified appropriate law enforcement entities, and the university’s Information Security Office (ISO) investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks”.

Investigators initially concluded that hackers only encrypted data from the university’s College of Social and Behavioural Science (CSBS) department. It was later revealed that the culprits also managed to steal employee and student information.

Only .02% of the data on the servers was reportedly affected, while the university was eventually able to restore IT services and systems from back-up copies. Nonetheless, the university decided to pay the ransom demands with the help of its cyber insurance provider. The University of Utah said:

“This was done as a proactive and preventive step to ensure information was not released on the internet ... The university’s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”

Since the university is still reviewing the incident to determine the nature of the affected data, CSBS students and employees are advised to monitor their financial statements for any fraudulent activity and periodically review and change online passwords.

“This incident helped identify a specific weakness in a college, and that vulnerability has been fixed,” the university added. "The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment. The university is also unifying the campus to one central active directory and moving college networks into the centrally managed university network. These steps, in addition to individuals using strong passwords and two-factor authentication, are expected to reduce the likelihood of an incident like this occurring again”.

Even tough cybersecurity experts and law enforcement advise ransomware victims to never give in to extortion demands, but in some cases, organisations choose the easy way out. Paying the demands of cybercriminals does not guarantee full system recovery or that the any stolen data will not be leak online or sold to the highest bidder on the dark web.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.