Shearwater Security Report | December 2019

Shearwater Security Report | December 2019


Each month Shearwater’s Managed Security Services Team brings you the latest Threats, Breaches and Industry News from Australia and around the world.

Read this month’s Security Report to learn about:

• Current Threats and Exploits
• Recent Breaches
• Staying Safe with IoT Devices
• Securing APIs
• A Phishy Smell in Parliament

Current Threats and Exploits

❖ New Ransomware Threat

New-Ransomware-ThreatBeware of emails claiming to be from Microsoft urging you to install a Windows 10 update.

Security researchers have discovered a new malicious campaign which spoofs Microsoft emails, but ends up infecting the user’s systems with the Cyborg ransomware. Targeted users first receive an email with either the subject line ‘Install Latest Microsoft Windows Update now!’ or ‘Critical Microsoft Windows Update!’ which is already suspicious as Microsoft pushes Windows updates through its operating system and never through emails.

The email contains just one line of text which reads: ‘Please install the latest critical update from Microsoft attached to this email’.

Unusually, the fake update attachment has .jpg file extension. However, it is not a picture but actually an executable file. Upon clicking the attachment, a file called ‘bitcoingenerator.exe’ is downloaded from a GitHub account named ‘misterbtc2020’.

Once activated, the ransomware encrypts all the files on the infected user’s system and appends their filenames with its own file extension: 777. A ransom note with the filename ‘Cyborg_DECRYPT.txt’ is then left on the desktop of the compromised machine. It also leaves a copy of itself called ‘bot.exe’ hidden at the root of the infected drive.

The fact the ransomware was hosted on GitHub is significant. It meant that others could gain access to it in order to create their own version of the Cyborg ransomware. The risk is that many variants could end up in the wild.


❖ Windows 10 Preview Pane Bypasses Word Protected View

Windows-10-Preview-Pane-Bypasses-Word-Protected-ViewWord Protected View is a mode in which Microsoft Word can open untrusted Word documents and prevent dynamic content such as macros and remote content from automatically executing on the user’s computer. The mode was implemented to protect users from this content which can be used to infect the host or call out to remote hosts over HTTP or SMB to request resources.

Word Protected View is enabled by default when a Word document is downloaded from an untrusted source, such as the Internet, and must be explicitly disabled by the user.  

Recently, security researchers discovered that the Windows 10 preview pane, which is used to disable a preview of the document in File Explorer, doesn’t open the document in protected mode when generating the preview. As such, simply selecting the document in File Explorer with the preview pane enabled is enough to load potentially risky external content over HTTP and SMB.

The later of the two protocols is more worrying, as the researchers were able to demonstrate that the user’s NTLM hash (the way in which Microsoft stores passwords), is automatically sent to a remote server, giving a malicious actor all the information they need to crack the user’s password.

Currently, there is no fix for this vulnerability and as such, users are recommended to disable the preview pane on their computer and as always exercise caution when downloading Word documents from untrusted sources.



Recent Breaches

❖ Suffers Major Breach Suffers Major is an American-based company that provides domain name registration and web development services. As the fifth largest registrar in the world with almost 7 million customers, it recently made news in Australia due to its US$105 million acquisition of Dreamscape Networks. As an ASX listed company, Dreamscape Networks owns Crazy Domains, the leading Australian domain registrar with 2 million customers and 600 employees.

On October 16, the company discovered it had suffered a significant data breach back in August in which user account information was exposed. The disclosed data includes contact details such as name, address, phone numbers, email address and information about the services the account holder purchases.

Thanks to the fact that encrypted all credit card information, in line with PCI-DSS standards, no credit card data was reported to be compromised. Had credit card data also been stolen, the ramifications for would have been far greater. Nonetheless, the other stolen information could put customers at risk of follow-on phishing and identity fraud attempts.

This is another timely reminder of the importance of securing your data. This is true for all organisations, but particularly those that process customer credit or debit cards.

Contact Shearwater today to discuss ways you can ensure secure payments in line with standards such as PCI-DSS.



Other News

❖ Staying Safe with IoT Devices

Staying Safe with IoT Devices The Internet of Things (IoT) includes everyday devices that connect to the internet and send and receive data. This includes devices like smart TVs, smart watches and baby monitors.

Whilst these devices enhance the way we work and live, there are concerns they could be vulnerable to cyber-attacks. If a hacker is able to access your home network through such appliances, they may be able to access a range of confidential information stored on your other devices, such as computers and smart phones.

The Commonwealth Government is committed to ensuring Australians are able to enjoy the opportunities and benefits created by IoT devices, whilst still remaining secure. It has therefore launched a new initiative to develop a voluntary code of practice. It hopes to bring industry, as well as other tiers of government, on board with the code.

The highest priorities for consideration are:

  • No duplicated default or weak passwords;
  • Implementing a vulnerability disclosure policy with device manufacturers, service providers and app developers to have a public point of contact; and
  • To keep software securely updated, including firmware.

Submissions to the enquiry are required by 1 March 2020.


❖ Securing APIs – More Important than Ever

Securing-APIs-–-More-Important-than-EverWith APIs integral to digital transformation strategies, many organisations are shifting from running a few APIs to now running hundreds, if not thousands of them. These APIs are often transferring sensitive data. This makes them attractive targets to attackers. Any vulnerabilities in APIs could result in significant data breaches.

That’s why ensuring your APIs are secure is more important than ever.

Having the capacity to detect malicious activity across so many APIs is a significant challenge for many organisations. Common attack vectors include broken authentication mechanisms and broken function-level authorisation flaws. Some APIs inadvertently leak data while backing up files to a repository, such as GitHub, or expose information when interacted with in a manner that the developer did not anticipate.

That’s why the announcement this week that the Commonwealth, State and Territory governments have established uniform national API security standards is welcome news.

The move aims to ensure API standards are consistent between all levels of government. The standards will allow governments, as well as trusted third-parties, to securely share, re-use and enhance data in real-time.

If your organisation relies on APIs to transfer data, it’s essential you conduct regular API penetration testing to ensure any vulnerabilities are promptly identified and fixed. Contact Shearwater to find out how an API penetration test can benefit your organisation.


❖ A Phishy Smell in Parliament

A-Phishy-Smell-in-ParliamentWith human error now one of the leading cyber-attack vectors, phishing awareness is absolutely essential to stop malware and ransomware.

Many organisations of all sizes understand the threat and are taking steps to educate their staff about the risks and how to stay safe.

However, it seems those working in the nation’s Parliament need a bit more training.

Both politicians and their staff will begin phishing email simulation training following a state-sponsored cyber-attack against Parliament House earlier this year. With over 4,000 people working in Parliament, it’s essential to raise awareness levels about opening attachments or clicking malicious links.

Whilst Parliament is a prime target for obvious reasons, all organisations should regularly train staff in email security awareness.

Phriendly Phishing is an interactive training program that incorporates engaging modules to create long-term awareness of the risks posed by phishing emails. Contact Shearwater today to find out how your staff can learn the skills to stay safe online.


1. New Ransomware Threat –
2. Windows 10 Preview Pane Bypasses Word Protected View –
3. Suffers Major Breach –
4. Staying Safe with IoT Devices –
5. Securing APIs – More Important than Ever –
6. A Phishy Smell in Parliament –



This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.