Scammers Impersonate Barclays Bank in a New Phishing Scam

A new phishing scam that leverages the well-known Barclays bank has been identified recently. The purpose of the scam is to steal personal and financial information from users. The phishing scam is initiated using phishing emails that pretend to come from Barclays bank, noted My Online Security. The email informs users to update their personal and financial details as a part of the company’s online security measure. It asks the recipients to cross-check their account details by visiting a link embedded within the email. It is to be noted that victims can sometimes land on the genuine Barclays website. It depends on the settings that runs on the victim’s device. Cybercriminals use social engineering tricks to persuade users into opening the attachments that come with the email. Thus, it is recommended to cross-check the sender’s address and details in the email by contacting the firm directly. Watch for any site that invites you to enter any personal or financial information, unless it is from a reliable source.


New Cybersecurity Campaign ‘Keep I.T. Confidential’ Creates Awareness Among NHS Staff

NHS Digital has launched a new cybersecurity campaign dubbed ‘Keep I.T. Confidential’ in order to educate NHS staff on how to prevent and mitigate potential cyber threats and data breaches. This campaign aims to create awareness among NHS staff about the impact of cybersecurity threats on patient safety and care and educate them on what actions should be taken to combat these threats. The main purpose of this campaign is to ‘protect patient data’ from cybersecurity threats. NHS Digital also highlights the key cybersecurity threats against the NHS and its patients, which include: Weak passwords, Phishing, Tailgating, Unlocked screens and Social Engineering. This campaign provides guidance and recommendations for NHS staff on how to protect patient data. In order to prevent unauthorized access to patient data, NHS recommends its staff to reset strong and complex passwords that are difficult to crack. This campaign strongly recommends NHS staff to never allow unauthorized individuals into restricted areas. NHS staff are asked to lock screens and devices and always log out of systems when not in use. NHS institutes its staff to never click on any link or email attachment that is from untrustworthy sources. 


Majority of All Cloud Misconfigurations Go Unnoticed

McAfee researchers have published a new report titled “Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk.” This study was conducted among 1,000 IT professionals across 11 countries and cloud usage data from over 30 million McAfee Mvision cloud users was aggregated to compile the report. The report reveals that a majority (99%) of all Infrastructure-as-a-Service (IaaS) misconfigurations are going unnoticed. Only one percent of all misconfigurations in the IaaS is reported. Almost 42% of storage objects measured with recorded DLP incidents are misconfigured. Over 90% of users face security issues with IaaS configurations. However, only 26% of users are equipped to deal with misconfiguration challenges. It can take longer than 24 hours to over a month to address reported misconfigurations. Researchers noted that these misconfigurations that go unnoticed can lead to an increased risk of data breaches. The report also listed the top ten most commonly misconfigured settings in AWS, the most popular IaaS provider, which includes: EBS Data Encryption, Unrestricted Outbound Access, EC2 Security Group Port Config and many more. Meanwhile, cloud security experts from Palo Alto Networks have warned about the most common three AWS misconfiguration mistakes, which includes: Allowing outbound traffic by default, allowing internet access to Port 22 and allowing internet access to Port 3389. Most IaaS users often overlook the security issues that come along with IaaS adoption and fail to report misconfigurations assuming that it is completely taken care of by the cloud provider. However, users are equally responsible for the security of the infrastructure and the data stored in the cloud. In the rush toward IaaS adoption, many organizations overlook the shared responsibility model for the cloud and assume that security is taken care of completely by the cloud provider. However, the security of what customers put in the cloud, most importantly sensitive data, is their responsibility.


NIST Releases Enterprise Zero Trust Architecture Draft Document

The special publication discusses the components of a Zero Trust Architecture (ZTA) and provides use cases where ZTA can enhance the security posture of an enterprise. Zero Trust is when a network or data architecture is focused on data protection through limiting trust. In this architecture, authentication of both the user and device is done before establishing a connection. Implicit trust is not granted to systems based on their physical or network locations. Policy Decision Point (PDP) and Policy Enforcement Point (PEP) are used to grant access to a resource. The focus of ZTA is on protecting resources, and not on network segments. The draft defines ZTA as, Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services. ZTA has a different set of assumptions for enterprise-owned and non-enterprise-owned network infrastructures, that it operates on. Certain gaps were identified in the current ZTA ecosystem in a survey for producing the document. These gaps included a lack of common terms for ZTA, knowledge gaps, and unavailability of a solution that provides all the necessary components, among others. It is stated that the publication’s purpose is to develop a technology-neutral set of terms, definitions, and logical components of network infrastructure and not provide guidance on implementing ZTA. 


Mac Malware Masquerades As Trading App To Steal Information

The popularity of trading apps and the ability of users to trade without interacting with any personnel gives cybercriminals an opportunity to trick unsuspecting victims by faking such apps. As a result, the trapped victims are looted off their personal data. Trend Micro researchers reported two variants of the same malware family. The first sample contains shell scripts that allow it to perform malicious activities by connecting to a remote site to decrypt the encrypted codes. The other instance appears to be straight-forward in its routine but is, in fact, persistent in nature and avoids detection and removal. The researchers found that, upon execution of the app, a trading app interface appears on the screen, while it also executes bundled shell scripts in the Resources directory. The first sample, a ZIP archive file containing an app bundle and a hidden encrypted file. A copy of the legitimate Stockfolio version 1.4.13 signed with the malware developer’s digital certificate is included in the archive. The first of the scripts collects information on the infected system such as IP address, apps & files saved, and other settings to be sent to the attackers’ server. If a response is received from the server, it would be written to another hidden file. Malware then runs a second script that copies additional files, and also decode and delete others. It checks for the hidden file containing the server response and uses its content to decrypt a file that contains additional malicious routines, as Trend Micro suspects. The second sample, reportedly contains a much simpler routine; its single script collects usernames and IP addresses from the infected machines and send the information to the attackers’ server. It drops several files and creates a simple reverse shell (on ports 25733-25736) to the command and control (C&C) server, allowing hackers to execute shell commands on the infected host. The sample also includes a persistence mechanism, via the creation of a property list (plist) file that creates the reverse shellcode every 10,000 seconds. 


Attackers Abuse Narrator Utility to Access Windows Systems

The attack is initiated by hackers delivering Pcshare backdoor to potential victims. Researchers say that the backdoor has been designed with the needs of this specific campaign in mind, which includes additional command-and-control encryption and proxy bypass functionality. After gaining access to the machine, attackers have been observed to install various post-exploitation tools. One of these tools, called Fake Narrator was uncovered to be used to gain SYSTEM-level access to the victim’s machine by abusing Microsoft Accessibility Features. Narrator.exe is a screen-reader utility that belongs to Windows. The attack replaces this utility with the hacker’s Narrator version. Leveraging this attack makes it possible for a remote threat actor to gain unauthenticated access to a command prompt running with system privileges via a remote desktop logon screen. In order to deploy the Trojanized Narrator, the attackers will first have had to obtain administrative privileges in the victim’s system. There is no concrete evidence to tell us who is responsible for these attacks. However, the geographic location of victims and the use of various Chinese open-source tools in the attack indicate the possibility of Chinese-origin threat actors. Pcshare backdoor was previously observed in attacks by a threat actor called Tropic Trooper. This actor is notorious for targeting government agencies and heavy industry companies in Taiwan and the Philippines. The research says that technology companies in South-East Asia have been affected by this group.


Edited and compiled by cyber security specialist James Aguilan.