TOP MIDDLE EAST CYBER THREATS-15 FEBRUARY 2018
In this blog, members of our MSS team share the top three cyber security threats that they have come across. So, read on to learn about what you need to look out for in the weeks ahead:
Crypto Mining Malware is on the Rise
With the dramatic rise (and subsequent fall) in the value of Bitcoin in recent months, talk of cryptocurrency has dominated mainstream media like never before. It’s no surprise then that all this interest has drawn the attention of cyber criminals, and while the hacking of a prominent exchange was big news for cryptocurrency community, what organizations need to worry about is the utilization of their precious computing resources for crypto mining.
The two strains that have been most successful in recent weeks are an Android malware for mining the Monero cryptocurrency and the Smominru botnet which, similar to WannaCry, uses EternalBlue to spread rapidly through enterprise networks.
Spreading Malware via Cloud Drives
The international cybercrime group Lazarus has become active once again, this time with a phishing campaign aimed at stealing Bitcoin. Interestingly, the cybercriminals have spread the malware via a malicious document by tricking victim to download it via a Dropbox link. This both highlights the manner in which attacker constantly modify their attacks, and the need for organizations to prevent employees from running systems with administrator privileges.
Another example of such cloud targeting is the ShurLOckr ransomware which affects both Microsoft Office and Google Drive. Researchers have found that this pesky ransomware is detected by only 7% of antivirus engines. This attack has been successful because not all cloud providers supply the most advanced malware detection natively on their platforms. It is clear therefore that any cloud strategy MUST incorporate security into its plans. At Help AG, we help our clients realize their cloud ambitions while maintaining the security of their data and services!
Targeted Attacks in Middle East
Our vendor partner Cisco outlined a targeted attack in the Middle East which starts with VBS script to generate a word document purported to be a confidential one. This document then uses macros to run scripts, which connect to C&C to download more payload.
The most notable part of this attack is how attackers have tried to keep their infrastructure secure by only allowing specific use-agents (infected systems) to connect to their C&C and also by dynamically allowing infected IPs for a brief period.
You can refer to Cisco’s excellent blog post that outlines further details of the attack which involved a great degree of care taken by the attackers to camouflage their infrastructure.
Blog By:
Majid Khan, Manager Cybersecurity Managed Services at Help AG