This week’s cyber headlines consist of some very significant developments, updates, and patches. Read on to know about the top cybersecurity headlines from the bygone week.
Kaspersky Reports Why Cyberattackers Target ICS Networks
Much has been said about the vulnerability of businesses’ IT and OT networks, but the latest Kaspersky ICS CERT reveals that in recent years, adversaries have increased their attacks on Industrial Control System (ICS) networks. The attackers primarily aim to steal sensitive corporate data from these networks, which can then be used for financial and other frauds. In a typical attack, adversaries send spear-phishing emails to the contacts of an already compromised mail address. They rely on spyware such as HawkEye, Azorult, Agent Tesla, and Snake Keylogger to infect victim devices, steal data, and spread the malware further within the network.
Kaspersky notes that most of these attacks are conducted by small groups with fewer skills, and they engage primarily in financial fraud. However, there are exceptions among these bad actors who look for more significant stakes and credentials that can give them access to corporate networks. The elaborate Kaspersky project highlights that over 2000 corporate email accounts of ICS networks have been compromised so far. It suggests that there are over 25 dark marketplaces selling the credentials stolen from these attacks. Since industrial networks are now a hit in the attackers’ community, Kaspersky advises ICS networks to use cybersecurity tools and measures like MFA (Multi-factor Authentication).
High Severity Vulnerability Detected in WordPress WP HTML Mail Plugin
Cybersecurity experts at Wordfence have discovered a high-severity flaw in the WordPress WP HTML Mail plugin, which is installed in over 20,000 sites. If exploited, they could let an adversary conduct code injection and distribute phishing emails. WP HTML Mail is used to design contact form notifications, custom emails, and generally tailored messages that online websites regularly send to their customers and audience. It is preferred because of its compatibility with online website tools such as Ninja Forms, WooCommerce, BuddyPress, etc. Despite having a limited number of site users, the vulnerability in the plugin still poses a threat because the cumulative audience of all these sites runs in hundreds of thousands.
Wordfence reports that unauthenticated adversaries could easily exploit this vulnerability dubbed CVE-2022-0218 and corrupt an email template with arbitrary data of their choice. In addition, the flaw also enables attackers to send phishing emails to anyone registered on any of the compromised sites.
Cybersecurity researchers from Wordfence notified the plugin developers of this vulnerability on 23rd December 2021, and a security update for the same was released in Version 3.1 of the plugin on 13th January 2022. Therefore, to ensure email security, all WordPress site admins and owners must update the latest version of the WP HTML Mail plugin at the earliest.
Singaporeans Beware of New Scam Messing With Google Search Results
The Singapore Police Force (SPF) has recently released an advisory warning people of fake bank hotline numbers that pop up in Google searches. The scam had cost people over $367,775 since December last year. Therefore, the SPF wants people to stay clear of this new attack vector targeting Google’s search platform users.
In a typical scam, phishing ads with fraudulent bank contact details pop up on Google searches when users are searching for bank contact numbers. Any unsuspecting user who calls on these numbers reaches someone impersonating a bank employee who, in reality, is a member of the hacker group who convinces the victim that there is an issue with their account. Naturally, people panic after hearing this and do whatever the impersonated bank employee deems best. The victims are then asked to transfer all funds to another bank account (adversaries claim the bank owns this) until the issue is resolved. To increase the authenticity of the scam, adversaries even used a strategy of sending SMS alerts to the victims with spoofed sender IDs of the bank.
There is no way to know that victims have been trapped other than contacting the bank through one of its legitimate hotline numbers or until one receives a call from the bank asking for the reason behind transferring such huge amounts of money. The advisory indicates that over 470 customers of the OCBC Bank have lost over SGD 8.5 million to this scam. The Monetary Authority of Singapore (MAS) has introduced some cybersecurity measures keeping in mind this new attack scheme.
McAfee Fixes High Severity Flaw
McAfee (now a part of Trellix) has recently fixed a high-severity vulnerability – CVE-2022-0166 in its McAfee Agent software for Windows. The vulnerability could enable an adversary to escalate privileges and run arbitrary code with SYSTEM privileges. The McAfee Agent software is a part of the McAfee ePolicy Orchestrator (McAfee ePO) which is in charge of downloading and enforcing policies. It also executes client-side tasks like deployment and updating in addition to other roles.
The current flaw was first discovered by Will Dormann (CERT/CC vulnerability analyst). In its advisory, McAfee writes that the vulnerability exists in Agent versions before 5.7.5 and uses a malicious file “openssl.cnf to specify the OPENSSLDIR variable as a subdirectory within the installation directory.” McAfee’s proactive cybersecurity measures ensured that the vulnerability was patched in the McAfee Agent version 5.7.5, released on 18th January 2022.
Are Fixed Vulnerabilities Really Fixed?
One would think that patched flaws are history, but in this incident, a critical severity vulnerability in SonicWall’s Secure Mobile Access (SMA) gateways (which was patched previously) is exploited in ongoing cyberattacks. The vulnerability (dubbed CVE-2021-20038) was first discovered by Jacob Baines (Rapid7 Lead Cybersecurity Researcher). It is a stack-based buffer overflow affecting SMA 100 series appliances (SMA 200, 210, 400, 410, and 500v) despite the presence of an active web application firewall (WAF). Exploiting this bug enables threat actors to execute remote code in compromised SonicWall appliances.
After releasing the patch last December, SonicWall urged all customers to implement it to avoid any cybersecurity risks. It had further mentioned that there was no evidence to prove the bug’s exploitation, but now there are reports from an NCC Group security consultant – Richard Warren, suggesting that the vulnerability is indeed being exploited in the wild. In its defense, SonicWall says it is actively monitoring the flaw and has not observed any successful exploitation of the CVE-2021-20038 flaw targeting SMA 100 appliances.
Beware of Chinese Threat Actor Earth Lusca
A Chinese hacker group called ‘Earth Lusca’ was recently discovered to have been conducting financially motivated attacks and spying on strategic targets for several years now. The Earth Lusca APT has been targeting organizations of interest to the Chinese government, intending to collect intelligence. Its prime targets include educational, government, telecom, media, religious, and COVID-19 research institutions in countries like Thailand, UAE, Nigeria, Taiwan, Vietnam, Philippines, Mongolia, etc. The group’s financially motivated attacks mainly targeted Chinese gambling entities and various cryptocurrency platforms.
Interestingly, Earth Lusca’s attack vectors are remarkably similar to another threat group called APT41. In a typical attack, the adversaries use a version of Cobalt Strike as an initial attack vector and then deploy other malware like Behinder, Doraemon, FunnySwitch, AntSword, Winnti, and ShadowPad. Threat actors like Earth Lusca target victims across all industries, and therefore, it is best to adopt ransomware protection measures in advance. Experts advise using provided IOCs and focusing on shared threat intelligence for better threat detection.