Weekly Roundup: Cyber-Espionage Campaign, WSA Bug Enable Remote Cyberattacks & Microsoft Vulnerabilities

Today’s Top Security Roundup includes:

• Oil & Gas Companies Fall Victim to a Cyberespionage Campaign
• Cisco BPA, WSA Bugs Enable Remote Cyberattacks
• Microsoft Office Users Warned on New Malware-Protection Bypass

 

Oil & Gas Companies Fall Victim to a Cyber-Espionage Campaign

Over the last year, a well-orchestrated cyber-espionage campaign has been targeting large multinational oil and gas companies. The campaign is spreading remote access trojans (RATs) with the intention of cyberespionage.

What is cyberespionage?

Cyberespionage is a form of cyberattack that gains illegal access to confidential information, sensitive data or intellectual property held by a government or an organization.

In the past year, spear-phishing emails have drastically increased containing malicious attachments used to infect devices with various RATs. The purpose of the remote access Trojans is to steal sensitive data, gain access to banking details and browser information, and log keyboard strokes.

Although the cyberespionage campaign is primarily targeting energy companies, the IT, manufacturing and media sectors, are also being targeted. Victims of the cyberespionage campaign include companies in Germany, United Arab Emirates (UAE) and the United States.

How did the attack take place?

The attackers sent customized emails to employees of each company being targeted. The email contained a malicious attachment including the .NET malware, usually an .IMG, .ISO or .CAB file. The attackers used the file types to evade detection from email-based antivirus scanners.

Social engineering attacks are increasing exponentially with no discrimination. From oil and gas companies to healthcare facilities, every entity with an online connection is at risk.

Learn how to stay secure from social engineering attacks.

Cisco BPA, WSA Bugs Enable Remote Cyberattacks

A series of high-risk vulnerabilities affecting the Business Process Automation (BPA) application and Cisco’s Web Security Appliance (WSA) could give unrestricted access to remote attackers to access confidential data or gain control over a targeted system.

The initial two bugs identified (CVE-2021-1574 and CVE-2021-1576) exist in the web-based management interface of the Cisco Business Process Automation (BPA). The aim of the web interface is to organize numerous IT processes such as operating software upgrades, activating the device, regulating migrating the server if needed.

The discovered weaknesses rating 8.8 out of 10 on the CVSS vulnerability-severity scale could give unrestricted authenticated access to a remote attacker. The attacker could elevate their access privileges to administrator-level and have full authority over the sensitive data.

Just last month, Cisco issued patches to fix numerous high-severity security vulnerabilities in its Small Business 220 Series Smart Switches. Had the vulnerabilities not get fixed, it could allow remote attacks to steal sensitive information, drop malware and disrupt operations, via session hijacking, arbitrary code execution, cross-site scripting (XSS) and HTML injection.

This is a strong reminder for companies and their IT teams to have a proactive approach towards their digital security. Companies should invest in penetration testers and ethical hackers to discover vulnerabilities in their digital infrastructure and patch bug fixes before falling victim to a hack.

Microsoft Office Users Warned on New Malware-Protection Bypass

Microsoft Excel users are being aggressively targeted in a strategic malware campaign. The intrusion involves the use of a novel malware-obfuscation technique that disables Office defences and enables entry to the ZLoader Trojan.

The new malware bypasses firewalls and defences put in place by Microsoft. Consequently, the malware exploits Microsoft Word and Excel who work together to download the ZLoader payload. All this is done in the background and without prompting a notification alert warning for the users of the damaging malicious attack.

What is a ZLoader Trojan?

ZLoader (also known as DELoader and Terdot) is a malicious program designed to steal credentials and other private information from users of targeted financial institutions.

ZLoader Trojan is distributed through malicious web pages that display a fake error notification. Security researchers conclude that ZLoader infects devices with the help of another malicious program, a banking Trojan called Zeus.

The researchers wrote:

“The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.”

Since Microsoft Office is equipped with instructions to automatically disable macros, the attackers have come up with an ingenious solution. The attackers trick the recipients of the email to enable them with a message appearing inside the Word document.

The end-user is naïve and doesn’t make much of this. However, the damage begins immediately in the background. As always, if you’re unsure of the sender and receive an attachment from an unknown source, simply do not open it. Period.

The growing cyber threats are enough reason to stay updated and know ways to steer clear of such online risks that could jeopardize your data and device.