Tag Archive for: teams

Microsoft Teams users warned that hackers are using it to spread malware

/in


(Getty Images)

(Getty Images)

Microsoft Teams users have been warned of hackers spreading malicious programs into conversations on the app.

The files, which have the .exe format, write data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer, cloud security firm Avanan warns.

The company has apparently seen thousands of these attacks in the past month, inflicted on a minority of the 270 million monthly active Teams users.

The hackers are using the programs to Teams chats to install a Trojan on the end-users computer. This program can then be used to install malware when clicked on.

Once this has been achieved, the hackers can compromise an email address and use that to access Teams.

If used with another phishing campaign, they could get access to Microsoft 365 credentials.

“Compounding this problem is the fact that default Teams protections are lacking, as scanning for malicious links and files is limited. Further, many email security solutions do not offer robust protection for Teams,” cyber security researcher and analyst Jeremy Fuchs said.

“Hackers, who can access Teams accounts via East-West attacks, or by leveraging the credentials they harvest in other phishing attacks, have carte blanche to launch attacks against millions of unsuspecting users.”

Since many people may still be unfamiliar with the Teams platform, many people will just trust and approve hackers’ requests for access – especially if they pretend to be the chief executive or IT support.

People have been trained to second-guess identities in email, but it is easy to edit the name and appearance of a Teams profile making it easier to gain the trust of the unsuspecting.

Avanan recommends that security professionals implement protection that downloads all files in a sandbox and inspects them for malicious content and encourage users to seek support if they come across an unfamiliar file.

Source…

Hackers caught dropping malware into Microsoft Teams chats

/in


Microsoft Teams users have been told to be on alert after hackers were spotted slipping malicious .exe executable files into conversations on the app.

The files in question are capable of self-administration and can write data to the Windows registry, install DLL programs, and create shortcut links, according to Check Point firm Avanan.

Hackers are likely to be using email spoofing to first gain access to Teams, before attaching malicious .exe files labelled “User Centric” to conversations, according to the researchers.

Upon clicking, the file will automatically take control of the user’s computer.

Avanan cyber security researcher and analyst Jeremy Fuchs said hackers “can steal Microsoft 365 credentials from a previous phishing campaign, giving them carte blanche access to Teams and the rest of the Office suite”.

After gaining access to Teams, circumventing any existing security measures is remarkably easy, Fuchs noted. Teams’ default protections are lacking, with limited scans for malicious files and links. Most email security solutions do not provide robust protection for Teams, adding to the problem.

Teams is particularly vulnerable given that end users implicitly, and freely share sensitive information through the service.

“Medical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. Further, nearly every user can invite people from other departments and there is often minimal oversight when invitations are sent or received from other companies,” explained Fuchs.

Several steps can be taken to mitigate the attack potential, including installing a sandbox that downloads and inspects all for malicious content, implementing multiple layers of security across all forms of communication, including Teams, and encouraging end users to flag suspicious files.

Featured Resources

Oracle analytics for dummies

Freedom from data overload

Download now

Why smart businesses view a data fabric as an inevitable approach to becoming data driven

Adopting a data-driven strategy for success

Free Download

Putting the insurance industry back in safe hands

The role of payments in digital transformation

Free Download

The top three IT pains…

Source…

TrickBot teams up with Shatak phishers for Conti ransomware attacks

/in


ransomware-lock

A threat actor tracked as Shatak (TA551) recently partnered with the ITG23 gang (aka TrickBot and Wizard Spider) to deploy Conti ransomware on targeted systems.

The Shatak operation partners with other malware developers to create phishing campaigns that download and infect victims with malware.

Researchers from IBM X-Force discovered that Shatak and TrickBot began working together in July 2021, with what appears to be good results, as the campaigns have continued until today.

A recent technical analysis from Cybereason provides more details on how the two distinct actors partnered to deliver ransomware attacks.

Attack starts with a phishing email

A typical infection chain starts with a phishing email sent by Shatak, carrying a password-protected archive containing a malicious document.

According to an October report by IBM X-Force, Shatak commonly uses reply-chain emails stolen from previous victims and adds password-protected archive attachments.

Example Shatak phishing email
Example Shatak phishing email
Source: IBM X-Force

These attachments contain scripts that execute base-64 encoded code to download and install the TrickBot or BazarBackdoor malware from a remote site.

The distribution sites used in the most recent campaign are based in European countries such as Germany, Slovakia, and the Netherlands.

Infection chain
Shatak’s infection chain
Source: Cybereason

After successfully deploying TrickBot and/or BazarBackdoor, ITG23 takes over by deploying a Cobalt Strike beacon on the compromised system, adding it to the scheduled tasks for persistence.

The Conti actors then use the dropped BazarBackdoor for network reconnaissance, enumerating users, domain admins, shared computers, and shared resources.

Then they steal user credentials, password hashes, and Active Directory data, and abuse what they can to spread laterally through the network.

Some signs of this activity include fiddling with registry values that enable the RDP connectivity and modifying Windows Firewall rules with the ‘netsh’ command.

Windows Defender’s real-time monitoring feature is also disabled to prevent alerts or interventions during the encryption process.

The next step is data exfiltration, which is the final stage before the file encryption,…

Source…

How to improve relations between developers and security teams and boost application security

/in


Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.

chris wysopal congressional hearing 1998

Veracode CTO Chris Wysopal shared the highlights of his career in application security during an OWASP event, including his 1998 testimony to Congress as a member of the hacking collective The L0ft.

Image: Chris Wysopal

In December 1996, application security expert Chris Wysopal published his first vulnerability report. He found that data could be edited or deleted in Lotus Domino 1.5 if permissions were not set properly or URLs were edited. That security risk — broken access control —  is the number one risk on OWASP’s 2021 Top 10 list of application security risks.

“We know about this problem really well and knowledge about the problem isn’t solving the problem,” he said. 

Wysopal, who is Veracode’s CTO and co-founder shared a short history of his time as an application security researcher, from his time with The L0ft hacker collective to testifying in front of Congress to doing security consulting with Microsoft in the early 2000s. Wysopal spoke during a keynote at OWASP’s 20th anniversary event, a free, live, 24-hour event held on Friday.

Wysopal said that he started out as an outsider in the tech world, which gave him a unique perspective to call out problems that software engineers, company leaders and government officials did not see. Over the last 25 years appsec researchers have moved from critics standing on the outside looking in to professional colleagues working with software engineers to improve security. 

SEE: How DevOps teams are taking on a more pivotal role 

“As William Gibson said, ‘The future is unevenly distributed, and I think we can learn from the past and learn from those already living in the future,” he said. 

He shared advice on how to build closer working relationships among developers and security experts as well as how the appsec profession has evolved over the years. 

Building relationships to improve security 

Wysopal said he sees the latest…

Source…