30 April 2020 | Asia Cyber Summary


In the spotlight this week:

Cyberattacks continue to be momentum from the COVID-19 lockdowns. Microsoft is in the spotlight after hosting Microsoft Online Tech Forum HK.


  • Beware of the GIF Account Takeover Vulnerability in Microsoft Teams. CyberArk make a good comparison reference to the vulnerability between Teams and Zoom for the online meeting solutions which are heavily used by many communities and business entities. Although important as more people and businesses migrate online, this news has not attracted much public concerns in cities like Hong Kong.

  • Hong Kong’s Securities and Futures Commission (SFC), which has been recognized as the country’s first regulator, finally posted a work-from-home guideline for financial institutions in Hong Kong. Their circular covers two areas: 1) the remote access to internal network and systems, and 2) the use of video conferencing platforms. The circular addressed the use of Zoom, but not Microsoft Teams.

  • Microsoft Threat Protection Intelligence Team reported that attackers have compromised target networks for several months beginning earlier this year by using an attack pattern typical of human-operated ransomware campaigns. These threat actors have been waiting to monetize their attacks by deploying ransomware that could provide them with the most financial gain. We published and confirmed similar findings 3 weeks ago.


April 28, 2020 | Ransomware Groups Continue to Target Healthcare, Critical Services; Here’s How to Reduce Risk

Microsoft Threat Protection Intelligence Team reported that ransomware groups continue to target the healthcare and critical services industries. In this light, the suggested ways on how to reduce risk. At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.

The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft Security Intelligence as well as the forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.


Source: Microsoft. Retrieved from https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/


April 28, 2020 | Hiding in plain sight: PhantomLance Walks Into a Market


In July 2019, Dr. Web reported about a backdoor trojan in Google Play, which appeared to be sophisticated and unlike common malware often uploaded for stealing victims’ money or displaying ads. Kaspersky conducted an inquiry and discovered a long-term campaign, “PhantomLance”, its earliest registered domain dating back to December 2015. Kaspersky found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play. One of the latest samples was published on the official Android market on November 6, 2019. Kaspersky informed Google of the malware, and it was removed from the market shortly after.


Source: Kapersky. Retrieved from https://securelist.com/apt-phantomlance/96772/


April 28, 2020 | Microsoft Patches Dangerous Teams Vulnerability


Microsoft has patched a dangerous vulnerability in its Teams collaboration platform that would have allowed attackers to potentially take control of an organization's entire roster of Teams accounts using a malicious GIF. The vulnerability is the latest to highlight the heightened risks that organizations face from having a high percentage of their employees work from home because of the COVID-19 pandemic.

Researchers from CyberArk discovered the vulnerability while examining Microsoft Teams' security this March. According to the security vendor, the problem had to do with how authentication information was handled when users shared or viewed images that were shared with them on the Teams platform. CyberArk reported that issues would have allowed attackers to take over Teams accounts using a malicious GIF.


Source: Cyberark. Retrieved from https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/

Darkreading. Retrieved from https://www.darkreading.com/vulnerabilities---threats/microsoft-patches-dangerous-teams-vulnerability/d/d-id/1337665

The Hacker News. Retrieved from https://thehackernews.com/2020/04/microsoft-teams-vulnerability.html


April 29, 2020 | Circular to Licensed Corporations Management of Cybersecurity Risks Associated with Remote Office Arrangements


In light of the increased use of remote office arrangements, Hong Kong’s SFC reminds licensed corporations (LC's) to assess their operational capabilities and implement appropriate measures to manage the cybersecurity risks associated with these arrangements.


When staff work remotely, they may access the LC’s internal network and systems from outside the office and hold meetings through video conferencing platforms. This circular sets out examples of controls and procedures to assist in the protection of LCs’ internal networks and data. LCs are reminded that the examples provided are not exhaustive. They should implement and maintain measures which are deemed appropriate to the situation and commensurate with the size and complexity of their operations. The circular covers remote access to internal network and systems and the use of video conferencing platforms.


Source: Securities and Futures Commission. Retrieved from https://www.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=20EC37




April 29, 2020 | Remote Spring: The Rise of RDP Brute Force Attacks


Documents and images transmitted entirely among non-Chinese registered accounts undergo content surveillance wherein files are analyzed for content that is politically sensitive in China. Upon analysis, files that are deemed politically sensitive are used to invisibly train and build up WeChat’s Chinese political censorship system. From public information, it is unclear how Tencent uses non-Chinese registered users’ data to enable content blocking, or which policy rationale permits the sharing of data used for blocking between China and international regions of WeChat.

Source: Securities and Futures Commission. Retrieved from https://www.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=20EC37



Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

Copyright © 2020 Blackpanda.
All Rights Reserved.

HONG KONG

Room 37, Level 5, Core F

Cyberport 3

100 Cyberport Rd

Hong Kong

+852 6975 1099

SINGAPORE

6 Raffles Quay
#11-07
Singapore (048580)

+65 6692 9110

JAPAN

301, 2-7-18

Nishiazabu Minato-ku

Tokyo 106-0031

+81 80 2077 9824

MALAYSIA

D1-U3A-6 Solaris Dutamas

Jalan Dutamas 1

50480 Kuala Lumpur

+60 3 6206 2582

PHILIPPINES

Penthouse, World Plaza Bldg.

5th Ave., Bonifacio Global City

Taguig City 1634

+63 2 8250 6110

  • LinkedIn
  • Facebook
  • Twitter