New Malware Is Coming Through Messaging Apps

As if your stressed IT staff didn’t have enough to deal with, there’s a new threat to be on the lookout for.

Researchers at the antivirus company Avast have discovered a new strain of malware that can spread by way of Skype and Facebook Messenger spam messages. The malware, called “Rietspoof” is described as a multi-stage malware strain.

It was first discovered back in August of last year, and until recently, didn’t raise any eyebrows because it was seldom used. That has now changed.  There’s been a notable uptick in the number of instances of Rietspoof detected on the web.

As malware goes, Rietspoof by itself isn’t all that threatening.  Its goal is merely to infect as many devices as possible, serving as a bridge between an infected device and a command and control server that allows other strains of malware to be systematically injected onto infected systems.

Rietspoof accomplishes this goal by placing a shortcut (LNK file) in the Windows Startup Folder. This is one of the critical folders that Avast and other major antivirus programs monitor rigorously. However, Rietspoof has managed to slip through the cracks, bypassing security checks because it is signed with legitimate certificates.

The malware’s infection cycle consists of four discrete steps. Three of them are dedicated to establishing a Rietspoof beachhead on a target system, and the fourth is reserved for the downloading of more intrusive and destructive malware strains.

According to the research team that discovered it, since they first began tracking the malware, it has undergone a number of incremental changes. That lead them to the conclusion that Rietspoof is a work in progress and currently undergoing testing and further development.

Although it may have limited functionality now, that could very easily change as the hackers behind the code continue to modify it.  Be sure your IT staff is aware, and stay vigilant!

 

Malware Stealing Usernames And Passwords At Alarming Rates

Much discussion has been had about the fact that hackers are becoming increasingly sophisticated, and their methods ever-increasing in their complexity.  While that’s certainly true, more complex isn’t always better.

Take, for example, the malware called Separ, which is a credential-siphoning bit of code, first detected in late 2017.

Separ has benefitted from ongoing development by the hackers controlling it, but what sets it apart from other malware strains is that it’s almost deceptively simple, and that simplicity is a big part of its success.

The program is surprisingly good at evading detection, thanks to clever use of a combination of short scripts and legitimate executable files that are commonly used for completely benign purposes. This allows them to blend in and be utterly overlooked by most detection routines.

The most recent iteration of the software is embedded in a PDF.  When an unsuspecting user clicks to open the file, Separ runs a chain of other apps and file types commonly used by System Admins.  The initial double click runs a simple Visual Basic Script (VBS), which in turn, executes a batch script.

The batch script sets up several directories and copies files to them. Then it launches a second batch script, which opens a decoy image to high command windows, lowers firewall protections, and saves the changes to an ‘ipconfig’ file.

Then, it gets down to its real work, again, relying on completely legitimate executables to collect passwords and move them to the hackers’ command and control server.

According to Guy Propper, (the team lead of Deep Instinct’s Threat Intelligence group):

“Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective. The use of scripts and legitimate binaries, in a ‘living off the land’ scenario, means the attacker successfully evades detection, despite the simplicity of the attack.”

Be sure your IT staff aware.  It’s not always the most complex forms of malware that can get you.

Another Point Of Sale Data Breach Hits Retailers

Another week, another data breach. This time, the target of the breach was North Country Business Products (NCBP), a company that makes point of sale (POS) terminals for businesses.

Although NCBP was the target, they weren’t the ultimate victims of the breach. Hackers infiltrated NCBP’s network and installed malware onto the company’s POS terminals.

These were then sold to businesses around the country. In all, according to the latest information published by NCBP about the incident, a total of 139 business locations received these poisoned POS terminals. This allowed hackers to gain control of any payment information processed through those terminals.

In all, NCBP POS systems are installed in more than 6500 locations nationwide, meaning the scope and scale of this breach was approximately 2 percent of the company’s installed terminal base.

So far, North Country’s handling of the incident has been admirable. The breach occurred on January 3rd, 2019. The company discovered it on January 30th, but noted that the attackers ceased all activity on January 24th when they began detecting investigators probing for their presence.

NCBP has informed law enforcement, enlisted the aid of a third-party forensic investigator, and have published a list of all infected POS terminals on their website. All of the invested terminals are bars, coffee shops, or restaurants, with an even mix of standalone businesses and franchises.

The investigation into the matter is still ongoing. As yet, NCBP and the agencies assisting them have not determined exactly what the impact is or has been for each of the affected businesses.

All that to say, if you own an NCBP POS device, be sure to head to the company’s website to find out if your business is on the list of impacted customers. If so, you may have already been contacted by the company.

Safari On Mac Now Vulnerable To Browser History Theft

There’s a new macOS security flaw you and your staff need to be aware of.  It was discovered by Jeff Johnson, the developer of the Underpass app for both Mac and iOS, and the StopTheMaddness Safari browser extension.

Fortunately, the new flaw is not one that can be exploited remotely.  Users would have to be tricked into installing a malicious app via social engineering or other tricks.

On the other hand, the flaw is critical and impacts all known macOS Mojave versions.

Mr. Johnson had this to say about the matter:

“On Mojave, certain folders have restricted access that is forbidden by default.  For example, ~/Library/Safari.  In the Terminal app, you can’t even list the contents of the folder.  However, I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user.  There are no permission dialogs.  It Just Works.  In this way, a malware app could secretly violate a user’s privacy by examining their web browser history.”

Johnson reached out to Apple privately and shared the full details of the flaw, but refused to provide more details than the above to the general public, saying that since the issue has yet to be patched, he does not want to put macOS users at risk.

Although Apple has formally acknowledged his report, the company has to this point provided no information on some things. This includes what level of importance they’re giving a fix for the issue, and what their time frame might be in terms of issuing a fix.

It’s a serious issue, no doubt, but there’s a lack of public details about it. The fact that it can’t be executed remotely suggests it’s not as big a threat as it could be.  Even so, be mindful of it until Apple issues a fix.

Email Provider VFEmail Had All Data Destroyed By Attacker

Do you use VFEmail?  If so, we’ve got bad news for you.

Hackers have successfully attacked the system and wiped all data from all of its servers in the US.

All data on those servers has been lost.  That means every email you had in your inbox and everything you had archived is gone.

According to a company spokesman, “At this time, the attacker has formatted all the disks on every server.  Every VM is lost.  Every file server is lost.  Every backup server is lost.”

The hackers made no attempt to lock files and ransom them.  They simply went in and destroyed, opting for maximum damage, and they succeeded. Although attempts are being made to restore the data, the outlook isn’t good.  Odds are overwhelmingly against anyone ever getting so much as a single email back.  Even if some data is ultimately recovered, users should not expect to get more than a fraction of their data back.

At this point, the company’s website is up and running again, but all of its secondary domains are down. These include:

  • Toothandmail.com
  • Powdermail.com
  • Openmail.cc
  • Offensivelytolerant.com
  • Metadatamitigator.com
  • Manlymail.net
  • Clovermail.net
  • Mail-on.us
  • Chewiemail.com

When you log onto your VFEmail account, you’ll be greeted with an empty inbox.

This isn’t the first time that VFEmail has come into the crosshairs of a hacking group.  In late 2015 a group called the Armada Collective targeted VFE and others with a massive DDoS attack, demanding ransom payments to halt the attack.  Unfortunately, this time, the hackers weren’t interested in taking prisoners or making money.

Sadly, this isn’t the first time a company has been brought to almost complete destruction.  In 2014, a company called Code Spaces was forced to close its doors when hackers breached their system and did the same thing.

If it can happen to Code Spaces and VFEmail, it can happen to your company too.  Beware.