In this week’s Cyber Weekly Digest we dive into the latest cyber security news including a new attack technique called “GIFShell” and the latest zero-day vulnerabilities being exploited by ransomware groups. Keep reading to stay up to date on the biggest cyber security stories from the week.
A new attack technique called “GIFShell” allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly execute commands to steal data using GIFs. This vulnerability was found by security researcher Bobby Rauch who reported it to Microsoft, who did not patch the vulnerability immediately because the victim’s device needs to be infected with malware before the attack. However, the attack still utilizes bypassing key security controls in MS Teams, which by nature should be patched immediately by MS. Attackers can also use security bypasses to spoof file extensions, which could cause a data breach if a victim is tricked into opening what they think is a safe file.
Outdoor clothing giant The North Face has notified its customers that their accounts may have been compromised, after noticing unusual activity on its website last month. On discovering the incident, The North Face disabled passwords and erased payment card tokens from affected accounts. It will require these users to enter a new password and re-enter payment details the next time they log-in. After investigating the incident, it was reported that the credential stuffing campaign lasted from the 26th of July to the 19th of August.
New stealthy malware named Shikitega, has been discovered infecting computers and IoT devices with additional payloads. The malware exploits vulnerabilities to elevate its privileges and adds persistence on the host via crontab and eventually launches a cryptocurrency miner on infected devices. Shikitega is stealthy as it utilizes a polymorphic encoder to evade traditional anti-virus detection making static, signature-based detection impossible. The infection begins with a 370 bytes ELF file, which is the dropper containing the shellcode. The encoding is performed using the polymorphic XOR additive feedback encoder “Shikata Ga Nai” previously analysed by Mandiant. After the shellcode is executed, one of the commands downloads and executes “Mettle”, a small and portable Metasploit Meterpreter payload that gives more remote control for the attackers on the host. Usually, the threat actor will install a cryptocurrency miner onto the device. The hackers evade raising alarms by using a cloud-based command and control server.
A reverse-proxy Phishing as a service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. The service allows low-skilled threat actors who don’t know how to set up reverse proxies to steal online accounts that are otherwise well-protected. A reverse-proxy is a proxy that sits between the authentication endpoint and the victim, when the victim sends login details through the real form, the information is forwarded to the real site but also sent to the malicious proxy server. APT groups have been utilizing reverse proxies for a while now to bypass MFA, with most of them deploying their own custom tools. EvilProxy was first spotted being sold on the hacking forum, BreachedForums.
QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station. The company released patches for the Photo Station security updates 12 hours after DeadBolt began using the zero-day vulnerability in attacks, urging NAS customers to immediately update Photo Station to the newest version. Applying the security updates will prevent the DeadBolt ransomware and other threat actors from exploiting the vulnerability and encrypting devices. However, NAS devices should never be publicly exposed to the Internet and instead placed behind a firewall.