Phishing Exploits Windows, CISA Scam Alert, Cleveland Cyber Response – Cybersecurity News [June 10, 2024]
We’re back with cybersecurity’s latest in our latest news piece. This week, there were several cybersecurity threats, including phishing emails that exploit a weakness in Windows Search to deliver malware, impersonation scams by people pretending to be from CISA, a cyberattack that shut down many government services in Cleveland, a new kind of Windows malware called Warmcookie that spreads through fake job postings, and a blood shortage in London hospitals caused by a ransomware attack. Here’s everything about these!
Phishing Emails Exploit Windows Search Protocol to Deliver Malicious Scripts
There is a new phishing campaign that is using HTML attachments to abuse Windows search protocol to deliver malware.
The Window search protocol is a URI (Uniform Resource Identifier) that allows applications to open Windows Explorer via searches. Most of these searches are usually at the local drive index, but threat actors can force it to query file shares on remote hosts as well. Threat actors are using it to share malicious files and carry out potent attacks.
Researchers at Trustwave have reported that there is an ongoing campaign where the threat actors send malicious emails with HTML attachments. They are invoice documents placed within a ZIP file that helps them evade security and AC scanners. When the HTML document is opened, it automatically opens a malicious URL via meta tag refreshes.
If the refreshes fail, there’s also an anchor tag with a clickable. The URL is for the Windows search protocol and performs a search on a remote host from where it retrieves a shortcut LNK file. If you click on the file, it will take you to a batch script on the same server which is malicious.
The researchers could not find out exactly what this batch file does but it cannot be anything good. It’s best to stay away from unsolicited emails and take proper phishing protection measures.
CISA Alerts on Scammers Posing as Its Employees in Phone Calls
This week, CISA (Cybersecurity and Infrastructure Security Agency) issued an alert that threat actors are impersonating its employees on phone calls and deceiving victims to steal their funds.
Threat actors have started a new trend of legitimizing their scams by using names and details of government employees. It seems that even CISA is not safe, as they warned in their report. CISA0 shared how they’re aware of recent impersonation scammers that are posing as individuals from the agency and also clarified that official staff will never contact anyone with a suspicious request to wire money, cash, crypto, or even use gift cards.
They also shared tips that if you do get one of these calls, you should never give in to the demands and note down the scammer’s number. You can check the contact by calling CISA at 844-729-2472 (844-SAY-CISA) and report the scam attempt to law enforcement.
The FTC (Federal Trade Commission) also issued a warning back in March about scammers impersonating FTC employees to defraud citizens of their hard-earned money. Many people fell victim to these scams, where the scammers posed as FTC staff and used social engineering tricks to dupe them out of their finances.
The losses of impersonation scams crossed $1.1 billion in 2023, which is a 300% increase from 2020.
Cleveland Halts Systems in Response to Cyberattack
The City of Cleveland was the victim of a cyberattack this week and is still recovering.
The cyberattack has forced the City to take down major citizen-facing services like public offices and facilities. Cleveland is a significant center for healthcare, manufacturing, finance, logistics, education, and technological sectors, so the attack is causing major problems. The City’s authorities issued a warning to the public that all public services were reduced to only the essential operations as a result of a cyber incident that it is facing.
The incident is still being investigated by the officials with the help of third-party experts. The City shared that no information from the public utility service database was accessed by the threat actors, and the incident did not impact emergency services like police, ambulance, fire, and travel.
The authorities will keep sharing updates as soon as more information comes to light but no ransomware gang has claimed responsibility for the attack yet. You can call the officials at 311 for more information regarding this.
Warmcookie Windows Backdoor Spread Through Fake Job Opportunities
There’s also a new Windows malware that has been circling corporate networks via fake job offer phishing campaigns.
The name of the malware is Warmcookie, and it was discovered by Elastic Security labs while they were analyzing the new campaign. The malware is capable of capturing screenshots and deploying additional payloads.
The attacks start with a phishing campaign that uses fake job and recruitment offers that are sent via phishing emails. Some of these are also spear phishing emails and are personalized with the names and current employer information of the victims.
The emails have a link that is advertised as being a link to the internal recruitment platform for the job agency but actually, it takes you to a phishing page mimicking the official portal. These portals include a CAPTCHA that you have to fill out, and if you do, it will download a JavaScript file that downloads the malware and copies it to the system. It establishes contact with the threat actor’s C2 (Command and Control) server and starts fingerprinting the victim’s system. It can also do a ton of harm as it can steal, retrieve victim information, capture screenshots, enumerate programs, execute commands, and exfiltrate other data.
Warmcookie has been out in the wild for quite some time and was also discovered by eSentire in 2023.
London Hospitals Experience Blood Shortage Due to Synnovis Ransomware Attack
The NHSBT (NHS Blood and Transplant) in England also issued an urgent call for O Positive and O Negative blood donors to book appointments after the Ransomware attack.
Last week, there was a cyberattack by the Russian threat actor group Qilin on the pathology provider Synnovis that impacted many hospitals in London. At the time, it halted blood transfusions and also resulted in cancellations or reschedules for the patient.
Now, the NHS has announced that the hospitals that were affected are unable to match blood donor and recipient types in the rush, so there’s a risk of transfusion matches, which could threaten the lives of the patients. For the patients who could not wait, the doctors opted to use O Negative and O Positive blood reserves for safe transfusion, which has resulted in a decrease in the reserves for these.
Synnovis has not given any updates regarding the cyber attack since 4 June but NHS is asking individuals that have either of these blood types to donate their blood. Do call and book an appointment as your contribution will save a life.