teiss Cyber Brief - 18th January 2021

" Catch me if you can"

Latest scams: Trust, but always check

A common theme of these newsletters is the variety and number of phishing campaigns that are continually being sent out – and with good reason, given how insidious some of the attempts are.

One recent phishing campaign is described in a warning from the Australian Cyber Security Centre (ACSC). Government agencies regularly send their citizens essential information, and it should come as no surprise that cybercriminals are sending emails masquerading as being from the ACSC.

These emails contain links to supposed anti-virus software; but click on the link and you will be downloading malicious software. People who have downloaded and registered this malicious software are subsequently contacted by phone and encouraged to download even more software to help “remove malware”; in reality this new software is remote-control malware that exposes your online banking information.

Malicious emails like this are difficult to spot; but they are out there and will continue to do their best to fool you. If in doubt, report them, ignore them, or check out the alleged source website to confirm that the information is genuine.

Salutary tales: SunBurst – Not just a fruity orange drink for kids

Just occasionally, security incidents in private companies make front-page news.  The SunBurst attack, as it has been colloquially named, was first targeted at cyber security experts FireEye, and subsequently at IT management company SolarWinds.

In the attack on FireEye, security tools were stolen: perhaps not the biggest of losses, but newsworthy given it was a seasoned security company that was targeted. Thankfully the security community and industry rallied around FireEye and it was quickly ascertained that this comprehensive attack was of a level that only nation-state attackers could have pulled off.

The attack on SolarWinds is more concerning. It turns out that the attackers were able to gain access not just to FireEye but to many other companies, because in Spring 2020 they had embedded malicious software into the update code for a SolarWinds software product called Orion.

Remember when your security team asks you to update your software to the latest version? This is called patching and it is an essential part of remaining secure and operational. In the SunBurst attack, the criminals used this important activity as a way of infecting many companies with malware.

Yikes.

The Orion software is used by many organisations, including many government agencies, and the attackers had unfettered access to those corporate networks for many weeks before the breach was discovered. The fact that the smart money is on this being a nation-state attack makes it all the more concerning.

Does this mean you should stop installing patches and updates, just in case? ABSOLUTELY NOT! Continue to apply patches: this is still one of the main ways of ensuring you are protected against cyber-attacks.

However, this is a clear example of how attackers will use every kind of method to obtain what they want. Sometimes, that means using approaches we may not have considered before.

Regular Tips

Got Mac? Yes, you do need endpoint protection

One of the many debunked “facts” about using a Mac is that there was no need for anti-virus (more accurately known as Endpoint Protection or EPP) as nobody was writing viruses and malware for that platform. While those days are mostly behind us now, it was still something of a surprise to learn that there has been Mac malware hiding in plain sight for at least the last five years!

Called OSAMiner, this malicious software has been around since at least 2015. It is delivered through pirated games such as League of Legends and pirated versions of software including Microsoft Office for Mac. SentinelOne, who published the finding, said that it has evolved over time, perhaps accounting for why it has remained hidden for so long.

Perhaps the most notable aspect of this malware is its use of run-only AppleScripts, the built-in scripting and automation tool that comes as part of the Mac operating systems. Infected machines would run sequential downloads of run-only AppleScript three times. Since “run-only” AppleScript come in a compiled state where the source code isn’t human-readable, this made analysis harder for security researchers.

SentinelOne’s findings are now in the open. This means that this rare-breed of an attack can now be detected by mainstream security software.

But the real moral of the story however is: Don’t install pirated software. You really don’t know where it has been and what else it might contain.

Copyright 2021, Lyonsdown Limited

23-29 Hendon Lane
London, N3 1RT
020 8349 4363
press@teiss.co.uk
teiss® is a registered
trademark of Lyonsdown Ltd