Each month Shearwater’s Managed Security Services Team brings you the latest Threats, Exploits and Industry News from Australia and around the world.
Read this month’s Security Report to learn about:
Current Threats and Exploits
❖ Beware of .WAV Files with Malware
A file with the .WAV or .WAVE file extension is a Waveform Audio File Format. It’s an audio file that stores data in segments. It was created by Microsoft and IBM and has become the standard PC audio file format.
With attackers constantly on the lookout for new ways to infect computers with malware, they now seem to be increasingly turning their attention to .WAV files. The technique of delivering malicious files in another data type is known as steganography or ‘stego’. This delivery method is successful because it allows files hiding malicious code to bypass security software that whitelists non-executable file formats, such as .WAV or other multimedia files, such as JPG or PNG files.
Researchers have identified a campaign to secretly embed malicious content throughout audio data. The malicious code consists of three different types of components that can execute the malware.
Users are likely none the wiser: When played, the .WAV files either produce music that has no discernible quality issues or glitches, or, in some simply, generate static white noise.
Two payloads were found being delivered in the campaign: A XMRig/Monero CPU Cryptominer and Metasploit code used to establish a reverse shell. This activity suggests a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim’s network. The fact that crypto-mining authors are now deploying their cryptominers via stego methods points to a new level of sophistication on their part.
Since stego is only used as a data transfer method, companies should be focusing on detecting the point of entry/infection of the malware that abuses steganography, or the execution of the unauthorised code spawned by the stego-laced files.
❖ Voicemail Not Always What it Seems
Once again, we see the attractiveness of audio as an attack vector. Following on from the threat posed by .WAV files, we now see attackers using access to voicemail as a way to gain unauthorised access.
Whilst Office 365 users have been regular targets for phishers, because their accounts often give access to high-value company data and systems, the new methodology is particularly pernicious.
Hackers have now stepped up their game with new attacks that use audio files masquerading as voicemails to trick users into exposing their passwords. It is part of a ‘phishing’ and ‘whaling’ campaign. Whaling is a type of phishing that is aimed at senior executives, department managers and other high-value targets inside organisations by using lures they are likely to be interested in and fall for.
In this type of attack, the victim is sent rogue emails contain Microsoft’s logo and information about a missed call from a particular phone number. The messages include information such as caller ID, date, call duration, organisation name and a reference number.
The emails have HTML attachments, which, if opened, redirect users to a phishing site that tells them Microsoft is fetching their voicemail and asks them to login to access it.
During this step, the page plays a short audio recording of someone speaking that is meant to trick victims into believing they’re listening to the beginning of a legitimate voicemail.
The fact that these emails incorporate audio to create a sense of urgency prompts victims to access the malicious link.
Once the recording is played, users are redirected to another rogue website that mimics the o365 login page and where the email address is automatically pre-populated to add to the attack’s credibility. If victims input their passwords, they receive a successful login message and are redirected to the legitimate office.com website.
To help prevent this type of attack, you should ensure two-factor authentication is activated for your organisation’s o365 accounts, as this makes this type of breach more difficult for attackers.
It is also crucial to train staff on how to identify phishing emails and avoid clicking on suspicious links or opening attachments from unknown senders.
❖ VPN Vulnerabilities
With ISPs required to collect metadata, the potential requirement to grant backdoor access, and the concern that browsing activity could be sold to marketers, many Australians now consider Virtual Private Networks (VPNs) an essential part of being on the internet.
VPNs offer additional privacy and increased security, especially when using unknown wireless networks such as in cafes, airports, or even at work. They also provide the ability to avoid geo-locked content on services like Netflix.
However, there are increasing concerns that VPNs may not be totally secure. Recent warnings have been issued by both the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC) about known exploits.
It is now known that vulnerabilities affecting VPN products from vendors including Pulse Secure, Fortinet and Palo Alto are being exploited by attackers. This ongoing threat targets VPN users around the world, including Australia.
Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings or connect to further internal infrastructure. Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.
When it comes to selecting the most secure type of VPN, we recommend opting for ‘OpenVPN’. It uses open-source technologies like the OpenSSL encryption library and SSL v3/TLS v1 protocols.
OpenVPN can be configured to run on any port, so you could configure a server to work over TCP port 443. The OpenSSL VPN traffic would then be practically indistinguishable from standard HTTPS traffic that occurs when you connect to a secure website. This makes it difficult to block completely.
It’s very configurable and will be most secure if it’s set to use AES encryption instead of the weaker Blowfish encryption. OpenVPN has become a popular standard. We’ve seen no serious concerns that anyone has compromised OpenVPN connections.
OpenVPN support isn’t integrated into popular desktop or mobile operating systems. Connecting to an OpenVPN network requires a third-party application — either a desktop application or a mobile app. You can even use mobile apps to connect to OpenVPN networks on Apple’s iOS.
You should also ensure you use a VPN kill switch. This is a feature that will drop the internet connection on your device if the VPN connection fails. Without activating a VPN kill switch, if the VPN connection fails, your true IP address could be visible, potentially revealing your identity and/or location.
❖ Emotet Trojan Risk
Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or a malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email and usually tries to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. It is most commonly spread via Microsoft Office attachments, usually Microsoft Word (.doc, .docx) documents. There have also been reports of PDF attachments containing the malware.
These attached files contain macros that download and install the Emotet malware when opened.
Due to the fact that the Emotet malware is often embedded in a macro in a Microsoft Office or PDF document, the ACSC recommends implementing security controls around the use of macros to reduce the likelihood of infection.
Start by reviewing the ACSC’s Microsoft Office Macro Security recommendations. Where possible block macros from the internet and only allow macros to execute from trusted locations where write access is limited to personnel whose role is to vet and approve macros.
For additional recommendations from the ACSC on limiting your exposure to Emotet, CLICK HERE.
❖ Addressing the Skills Shortage
Over coming years, Australia will face a significant shortfall in the number of skilled cybersecurity personnel. By 2026, it is anticipated an additional 18,000 cybersecurity workers will be needed for the sector to harnesses its full growth potential. This shortfall has significant economic consequences. In 2017, up to $405 million in revenue was forfeited in the cybersecurity sector as a direct result of the lack of skilled workers.
To help begin addressing this shortfall, the Federal Government has launched a new ‘fast-track’ permanent residency visa program for highly skilled tech migrants, including those with cyber security skills.
The ‘Global Talent Independent Program’ aims to lure up to 5000 high-income earners working “at the top of their field” to Australia over the coming year with the offer of a “fast tracked process to permanent residency”.
The program has been welcomed as a “great initiative” by CyberCX.
❖ Digital Drivers Licences
NSW motorists can now ditch their physical driver’s licence for a digital alternative and use it as a form of ID after the state government finally pressed go on its state-wide rollout.
The opt-in digital pass is available to both iPhone and Android users via the Service NSW app.
A range of security features such as holograms and scannable QR codes are offered to ensure the ‘liveness’ of the identity document and protect citizens against identity fraud. But, are these security measures enough?
The Government says the digital license is safer than its physical predecessor, although privacy is still a concern for some.
Service NSW recently created the state government’s first bug bounty program, in part to ensure the digital license platform is secure. The Government admitted the goal of the bug bounty program is to weed out security vulnerabilities in the opt-in electronic vehicle licence.
❖ Australians are Fatigued
Up to 65% of Australian businesses are suffering from cybersecurity fatigue according to the 2019 Cisco Asia Pacific CISO Benchmark Study. Whilst the figure is an improvement on last year’s figure of 69%, it is still far higher than the global average of 30%.
The report speculates that one of the reasons for this fatigue is that Australian businesses may receive too many daily security alerts. This may overwhelm their ability to investigate alerts and remediate legitimate ones.
The three greatest obstacles to adopting more advanced security processes and technology are budget constraints, organisational attitudes and competing priorities.
There’s no doubt many organisations are challenged when it comes to fulfilling a wide range of cybersecurity functions. Building a dedicated in-house Managed Security Services team, with all the skillsets that entails, can be a major expense.
That’s where engaging a professional cybersecurity service provider can be a cost-effective alternative. Shearwater has the skills and experience to handle all your cybersecurity needs, including staff-training to achieve the right organisational attitudes.
· Beware of .WAV Files with Malware : https://threatpost.com/wavs-hide-malware/149240/ and https://www.zdnet.com/article/wav-audio-files-are-now-being-used-to-hide-malicious-code/
· Voicemail Not Always What it Seems : https://www.computerworld.com.au/article/668107/attackers-phish-office-365-users-fake-voicemail-messages/
· VPN Vulnerabilities : https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities
· Addressing the Skills Shortage : https://www.itnews.com.au/news/australia-to-fast-track-permanent-residency-for-highly-skilled-tech-migrants-533419
· Digital Drivers Licences : https://www.itnews.com.au/news/nsw-govts-first-bug-bounty-program-driven-by-digital-licensing-push-533535
· Australians are Fatigued : https://www.cisco.com/c/m/en_au/products/security/offers/benchmark-reports-2019.html
This Information Security Report is brought to you by Shearwater Solutions.
The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.
Whatever your Information Security challenge, we’re here to help you find the right solution.