Weekly Intelligence Summary | 30 April 2020
Updated: Jun 11
In the spotlight this week:
Cyberattacks continue to be momentum from the COVID-19 lockdowns. Microsoft is in the spotlight after hosting Microsoft Online Tech Forum HK.
Beware of the GIF Account Takeover Vulnerability in Microsoft Teams. CyberArk make a good comparison reference to the vulnerability between Teams and Zoom for the online meeting solutions which are heavily used by many communities and business entities. Although important as more people and businesses migrate online, this news has not attracted much public concerns in cities like Hong Kong.
Hong Kong’s Securities and Futures Commission (SFC), which has been recognized as the country’s first regulator, finally posted a work-from-home guideline for financial institutions in Hong Kong. Their circular covers two areas: 1) the remote access to internal network and systems, and 2) the use of video conferencing platforms. The circular addressed the use of Zoom, but not Microsoft Teams.
Microsoft Threat Protection Intelligence Team reported that attackers have compromised target networks for several months beginning earlier this year by using an attack pattern typical of human-operated ransomware campaigns. These threat actors have been waiting to monetize their attacks by deploying ransomware that could provide them with the most financial gain. We published and confirmed similar findings 3 weeks ago.
April 28, 2020 | Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
Microsoft Threat Protection Intelligence Team reported that ransomware groups continue to target the healthcare and critical services industries. In this light, the suggested ways on how to reduce risk. At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.
The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft Security Intelligence as well as the forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.
April 28, 2020 | Hiding in plain sight: PhantomLance walks into a market
In July 2019, Dr. Web reported about a backdoor trojan in Google Play, which appeared to be sophisticated and unlike common malware often uploaded for stealing victims’ money or displaying ads. Kaspersky conducted an inquiry and discovered a long-term campaign, “PhantomLance”, its earliest registered domain dating back to December 2015. Kaspersky found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play. One of the latest samples was published on the official Android market on November 6, 2019. Kaspersky informed Google of the malware, and it was removed from the market shortly after.
Source: Kapersky. Retrieved from https://securelist.com/apt-phantomlance/96772/
April 28, 2020 | Microsoft Patches Dangerous Teams Vulnerability
Microsoft has patched a dangerous vulnerability in its Teams collaboration platform that would have allowed attackers to potentially take control of an organization's entire roster of Teams accounts using a malicious GIF. The vulnerability is the latest to highlight the heightened risks that organizations face from having a high percentage of their employees work from home because of the COVID-19 pandemic.
Researchers from CyberArk discovered the vulnerability while examining Microsoft Teams' security this March. According to the security vendor, the problem had to do with how authentication information was handled when users shared or viewed images that were shared with them on the Teams platform. CyberArk reported that issues would have allowed attackers to take over Teams accounts using a malicious GIF.
Source: Cyberark. Retrieved from https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/
The Hacker News. Retrieved from https://thehackernews.com/2020/04/microsoft-teams-vulnerability.html
April 29, 2020 | Circular to licensed corporations management of cybersecurity risks associated with remote office arrangements
In light of the increased use of remote office arrangements, Hong Kong’s SFC reminds licensed corporations (LCs) to assess their operational capabilities and implement appropriate measures to manage the cybersecurity risks associated with these arrangements.
When staff work remotely, they may access the LC’s internal network and systems from outside the office and hold meetings through video conferencing platforms. This circular sets out examples of controls and procedures to assist in the protection of LCs’ internal networks and data. LCs are reminded that the examples provided are not exhaustive. They should implement and maintain measures which are deemed appropriate to the situation and commensurate with the size and complexity of their operations. The circular covers remote access to internal network and systems and the use of video conferencing platforms.
Source: Securities and Futures Commission. Retrieved from https://www.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=20EC37
April 29, 2020 | Remote spring: the rise of RDP brute force attacks
With the spread of COVID-19, organizations worldwide have introduced remote working, directly affecting cybersecurity and the threat landscape. One of the most popular application-level protocols for accessing Windows workstations or servers is Microsoft’s proprietary protocol, RDP. The lockdown has seen the appearance of many great computers and servers that are able to connect remotely. Today, we are witnessing an increase in cybercriminal activities that are exploiting the situation to attack corporate resources that have now been made available (sometimes in a haste) to remote workers.
Source: Surelist. Retrieved from https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/