We’ve been keeping a close eye on the latest cyber security news, and we’re bringing you a quick update. Here’s what you need to know about some of the biggest threats this month (and what you need to do about them).
TeamViewer hacked: Do you need to take action?
TeamViewer’s corporate organisation was compromised, suspected to be the work of Russian state actors. Although TeamViewer claims their corporate IT and remote access software run on separate environments, we see this as a significant risk – best to err on the side of caution. We notified all our customers immediately after the news broke and have taken steps to block TeamViewer on all antivirus and firewall platforms. It’s been uninstalled from every device we manage.
Actions: We recommend immediately uninstalling TeamViewer from all devices you manage, both personal and corporate.
Sneaky games: Malware disguised as gaming fun
Speaking of games, North Korean state actors known as Moonstone Sleet have been using a disguised malware scheme to steal data. It was disguised through an invite-only video game called DeTankWar, which players had to register for with a username and password. Invites were shared widely through social media, and through directly contacting organisations in the gaming, education, and software development sectors. Some serious effort went into it.
While this is targeted at specific individuals rather than corporate environments, it’s still something worth being aware of. Microsoft Defender has already updated its Indicators of Compromise (IOCs) to detect this threat – Defender for Endpoint can detect various components of it, while Defender Antivirus can detect the malware execution with behavioural signatures.
Actions: As always, make sure you’re running the latest security software.
Attackers still using email to deliver malware in 2024
It seems attackers haven’t given up on good old email tricks. This month saw the use of malware disguised as legitimate files being sent via emails designed to bypass common security measures.
This just highlights the importance of what we now take for granted with IT security. Because some attack methods seem too simple doesn’t mean they’re not still being targeted. This isn’t a complex attack – it is clever, though.
The method involves data exfiltration malware that bypasses User Account Control (UAC) by abusing renamed Windows files and ActiveX controls to execute a script chain, ultimately sending your data to the hacker. The malware targets crypto wallets, plugins, file extensions, and partial paths, along with apps including AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.
Actions: Protect against this by simply using your standard modern security features. Use a secure web browser (like Edge and SmartScreen), email filtering for spam/malware, enforce multi-factor authentication (MFA) across your systems, keep antivirus software (like Microsoft Defender) updated, and consider deploying Microsoft Attack Surface Reduction where applicable.
Telegram: A hot spot for hackers?
While Telegram itself isn’t inherently insecure, threat actors are increasingly using it to share data and target vulnerabilities. While default conversations aren’t end-to-end encrypted (like in WhatsApp), you do have the option to use ‘secret chats’ which are encrypted.
There are 54 Telegram-related items in Defender’s Threat Intelligence record over the last 6 years, which is about 9 a year. But there have been 6 in the last 4 weeks – a definite uptick in activity. It seems to be the platform of choice for hackers right now. And Telegram has been the victim of data leaks in the past, so be very careful when sharing anything important through it.
We’re closely monitoring the situation and might add it to our web content filtering block rules in the future.
Actions: Nothing as yet, but keep an eye out for further developments.
Uptick in 2FA bypassing
We’re seeing an increase in Two-Factor Authentication being bypassed driven by a new form of attack known as AiTM (Adversary-in-the-Middle). This type of attack is becoming more frequent and involves either fake webpages that trick users into providing their 2FA code or intercepting the 2FA itself via AiTM methods. This can result in BEC (Business Email Compromise) and the subsequent security headaches that come from it.
While there is currently no completely hands-off method for bypassing 2FA (yet), the attacks typically need a compromised local device. Most of these attacks start with phishing emails that lure users into clicking on malicious links.
Actions: Despite the uptick, 2FA remains an essential security measure, so keep it active. To lessen these threats, remind your staff how to recognise phishing attempts and not to click on suspicious links.
Olympic espionage: Stay vigilant this summer
There are hints of increased activity targeting organisations involved in the Olympics, potentially by Russian state actors. While this doesn’t directly impact most of our customers, it’s worth keeping a watchful eye on your own security posture.
Actions: Review any connections you have to related organisations and stay informed about potential threats.
Active outbreaks & advisories
Here’s a round up of some of the current outbreaks we think you should be aware of.
Black Basta ransomware
Threat groups are aggressively pushing Black Basta ransomware using remote client management software like ConnectWise and Microsoft Quick Assist. Keep your antivirus and remote connection software up to date to guard against this threat.
D-Link multiple devices attack
End-of-life (EOL) D-Link devices are being targeted. Businesses using EOL software or hardware face a critical risk and should prevent this immediately by upgrading to supported devices and software.
Check Point Quantum Security Gateways information disclosure attack
A critical vulnerability has been identified in Check Point Quantum Security Gateways. If you use this product, apply the available hotfix immediately to patch the vulnerability.
PHP Remote Code Execution (RCE) Attack
A severe vulnerability with a CVSS score of 9.8 has been identified in PHP, which has already been exploited. The code to exploit this vulnerability is publicly available. Make sure your PHP installations are updated immediately to stay safe against this threat.
