Advisory ID: NCC-CSIRT-120923-033 

Summary: Japan's computer emergency response team (JPCERT) has identified a novel attack method involving the distribution of a malware known as 'MalDoc in PDF'. This technique effectively evades detection by concealing malicious Word files within PDF documents

Threat Type(s): Malware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): PDF

Platform(s):  PDF Files

Version(s): All Versions 

Description: As indicated by the researchers, the compromised PDF file carrying the malicious Word Docs possesses a polyglot nature. Polyglot files exhibit the ability to be interpreted and executed in multiple ways, depending on the application used to open them. While most scanning engines and tools identify it as a PDF, standard office applications treat it as a typical Word document (.doc). Enclosed within the PDF is a Word document housing a Visual Basic Script (VBS) macro. When this file is accessed as a .doc in Microsoft Office, the VBS macro triggers the downloading and installation of a Microsoft Installer malware (MSI malware) file. However, the specific details about the nature of this installed malware have not been disclosed by the researchers.

Consequences: Attackers employ this attack technique to evade detection and confuse analysis tools. The malicious files may seem harmless in one format, while hiding malicious code in another. 

Solution: 

• Deactivate the automatic execution of macros in Microsoft Office. How to deactivate disable macros in Microsoft Office. 
• Utilize the OLEVBA tool, an analysis tool designed for assessing malicious Word files. This tool can provide an analysis of embedded macros, enabling the identification of potentially malicious components within the file. How to use OLEVBA for marco malware analysis. 
• Apply the Yara rule offered by Japan CERT to detect files utilizing the 'MalDoc in PDF' technique. This approach involves displaying a warning screen upon the initiation of Word documents, Excel workbooks, or MHT files (webpage archives saved by a web browser) within a PDF file. This warning prompts users about differing file extensions and requires user acceptance before opening in Word, Excel, or MHT formats

References:

https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html 

https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/ 

https://github.com/decalage2/oletools/wiki/olevba 

Advisory ID: ngCERT-2023-0035

Summary: In a concerning development, cyber criminals have intensified their focus on the general public through sim-swap attacks. Notably, a recent instance involved a remarkably advanced cyber threat actor who successfully carried out a "SIM swapping" attack. The attack was directed at a T-Mobile US, Inc. account linked to an employee of Kroll, demonstrating the growing sophistication of these malicious activities. This incident underscores the urgency of cybersecurity awareness and protection against emerging threats.

Threat Type(s): Mobile Networks/Devices

Damage/Probability: CRITICAL/HIGH

Description: SIM swapping, also referred to as SIM splitting or simjacking, is a malicious technique where criminal actors target mobile carriers to gain access to victims' bank accounts, virtual currency accounts, and other sensitive information. Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques. 

Social engineering involves a criminal actor impersonating a victim and tricking the mobile carrier into switching the victim's mobile number to a SIM card in the criminal's possession. Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim's mobile number to a SIM card in the criminal's possession. Criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps.

Once the SIM is swapped, the victim's calls, texts, and other data are diverted to the criminal's device. This access allows criminals to send 'Forgot Password' or 'Account Recovery' requests to the victim's email and other online accounts associated with the victim's mobile telephone number. Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim's number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim's phone profile.

Consequences: A successful SIM swapping attack allows cybercriminals to take over the victim's phone number, which can have serious consequences, including unauthorized access to sensitive information and accounts. Once executed, attackers can intercept SMS messages, monitor voice calls, and gain control over multi-factor authentication codes. This allows them to compromise online accounts, potentially leading to data breaches, financial loss, and identity theft.

Solution: Countermeasures to put into place include:

1. Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
2. Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
3. Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.
4. Use a variation of unique passwords to access online accounts.
5. Be aware of any changes in SMS-based connectivity.
6. Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
7. Do not store passwords, usernames, or other information for easy login on mobile device applications.

References:

• https://thehackernews.com/2023/08/kroll-suffers-data-breach-employee.html
• https://www.forbes.com/sites/iainmartin/2023/08/21/blockchain-capitals-bart-stephens-lost-63-million-in-sim-swap-crypto-hack/?sh=3191da50f74c
• https://www.kroll.com/en/about-us/news/security-incident

Advisory ID: NCC-CSIRT-240823-032

Summary: Sophos researchers have uncovered Akira ransomware exploiting an undisclosed vulnerability in Cisco's virtual private network (VPN) software. This vulnerability potentially allows for authentication bypass in cases where multi-factor authentication (MFA) is not in place. The perpetrators behind Akira ransomware are capable of infiltrating corporate networks, exfiltrating data, and subsequently encrypting it.

Threat Type(s): Ransomware

Impact/Vulnerability: HIGH/HIGH

Product(s): Windows and Linux Systems

Platform(s):  Cisco Virtual Private Networks

Version(s): All Versions 

Description: The researchers noted a prevalent trend in Akira infiltrations, often initiated by threat actors utilizing compromised credentials, which can potentially be acquired from the dark web. Akira frequently gains access to targeted Windows and Linux systems through Cisco VPN services, particularly in cases where users have not implemented multi-factor authentication. Upon infecting a system with Akira, the malware takes steps to eliminate backup folders that might be employed for data recovery. Subsequently, it encrypts files with specific extensions and appends the ".akira" extension to each of them.

Cisco VPN solutions are extensively adopted in various sectors to establish secure, encrypted data transfer between users and corporate networks, especially for remote employees. According to the researchers, Akira follows the ransomware-as-a-service (RaaS) model and represents a rapidly escalating threat that capitalizes on compromised credentials to breach systems. A significant number of Akira victims lacked multi-factor authentication (MFA) on their VPNs. Additionally, the actors orchestrating Akira employ malicious email attachments, malicious ads, and pirated software as distribution vectors for the ransomware. Exploiting unpatched vulnerabilities in VPN endpoints is another avenue through which the threat spreads

Consequences: Akira’s attackers engages in double extortion tactics, exfiltrating victim’s data prior to encryption and threatening to release the data publicly unless a ransom is paid.

Solution: 

• Activate multi-factor authentication for your VPNs.
• Regularly back up your data.
• Exercise caution when encountering unexpected email attachments to prevent potential Akira ransomware infection.
• Consistently update and patch vulnerabilities in Cisco VPNs.
• Before interacting with ads, verify the authenticity of the site through its URL.

Avoid using pirated software and refrain from downloading unverified apps from Google Play.

References:

https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/

https://www.redpacketsecurity.com/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

https://cyware.com/news/akira-ransomware-targets-cisco-vpns-to-breach-organizations-120e5b1c/

https://malwaretips.com/threads/akira-ransomware-targets-cisco-vpns-to-breach-organizations.125290/

Advisory ID: NCC-CSIRT-180823-031

Summary: Coral Tayar, a researcher at Cyberint, has identified a series of account breaches on LinkedIn. This has led to numerous accounts being either locked due to security concerns or completely taken over by attackers. In some cases, victims are forced into paying a ransom to regain access, while others face the possibility of their accounts being permanently deleted. These exploits can result in account takeovers, lockouts, and difficulties in resolving issues through LinkedIn's support system.

Threat Type(s): Ransomware

Impact/Vulnerability: HIGH/HIGH

Product(s): LinkedIn

Platform(s):  LinkedIn Social Media Platform

Version(s): All Versions 

Description: According to the researchers, attackers utilized two methods in exploiting LinkedIn accounts. The first method involves a temporary account lock, where victims receive an official LinkedIn email notifying them of the security measure. In such cases, the accounts themselves are not compromised; rather, suspicious activity or hacking attempts triggered the temporary lock. It's likely that threat actors attempted to breach accounts with two-factor authentication or conducted brute force attacks on passwords, prompting LinkedIn to block these efforts.

The second method, termed as a full account compromise, is more devastating. Here, victims' LinkedIn accounts are completely hacked, preventing them from independently recovering their accounts. Threat actors follow a specific process to make account restoration impossible. They gain access to the account and change the associated email address to another address, often using addresses generated through the 'rambler.ru' mail system. Subsequently, the threat actors alter the account password. By changing the email address, they effectively prevent victims from restoring their accounts via email, rendering recovery impossible. Some victims have received ransom messages (typically demanding a small sum) to regain access, while others have observed their accounts being deleted altogether.

Consequences: Malicious individuals might capitalize on compromised profiles for social engineering, deceiving others into participating in harmful actions while posing as a trusted co-worker or manager.

Solution: 

• Check your account by promptly logging in and confirming if you still have access. Verify that all your contact information is accurate and truly yours. In case you are locked out and unable to recover through your email, reach out to LinkedIn support immediately.
• Review your email inbox for any messages sent by LinkedIn about the addition of an extra email to your account. If you did not initiate this action and discover such an email, consider it a serious red flag. Ensure that you can still log into your account, change your password, and eliminate the added email address from your contact details.
• Utilize a strong and unique password exclusively for your LinkedIn account. Avoid reusing passwords across different platforms.
• Activate the two-step verification feature for enhanced security on your LinkedIn account.

References:
https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/

https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/

https://twitter.com/search?q=linkedin%20account%20hacked

https://www.reddit.com/r/linkedin/comments/15cx1zg/mega_thread_so_your_linkedin_account_got/