Ransomware's Big Week 🛢, New US Cybersecurity EO 📜, TeaBot Banking Trojan 💵

CyberLite May 18, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📰 News

Catching you up on everything important that happened this week…

🛢 Ransomware's Big Week

It's been one hell of a week for ransomware attacks, let's dive straight in.

On May 7th the Colonial Pipeline announced that following a ransomware attack from the Darkside gang it was going to temporarily shut down operations. The pipeline carries 45% of the fuel for the US East Coast and the US government issued an emergency declaration in the 17 affected states. Fuel prices went through the roof as people started to panic and stockpile fuel.

In an bid to fix the issue as quickly as possible Colonial paid the requested ransom of $5 million within hours of the attack and Colonial was able to resume operations on Wednesday 12th. Since then Darkside announced that they're shutting up shop after their servers were compromised and their cryptocurrency wallets were drained. Nobody's officially claimed credit for the retaliation but you don't have to be Sherlock Holmes to take a guess that the US may have been involved.

The attack shows just how dire the consequences of a ransomware attack can be, even if attackers don't intend it. Analysts from Flashpoint working on the remediation efforts believe that the attackers didn't want to damage national infrastructure, they simply targeted Colonial because they believed that had suitable funds to pay a large ransom. Increasingly gangs are "committing" to stop targeting hospitals, non-profits and a number of other types of organisations. Let's hope for everybody's sake these commitments are more than just hot air. KrebsonSecurity. Threatpost.

But that wasn't the only ransomware news this week... In April the Babuk ransomware gang successfully carried out an attack against the Washington DC Police Department. This week the gang leaked alleged conversations with the police where negotiators offered only $100,000 of the $4 million that Babuk requested. As expected Babuk responded by leaking every personal detail imaginable for 22 police officers, down to their financial details and handwritten signatures. Link.

Ransomware is a threat that we just can't get our heads around at the moment. France announced this week that their preventing insurance company AXA from reimbursing any ransomware that victim companies make, in an attempt to make attacks less lucrative. Measures like these are steps in the right direction, but they won't have a big impact. At the moment there's a distinct lack of ideas on how to slow down the rise of ransomware. Link.

📜 Biden Signs New Cybersecurity Executive Order

Joe Biden has signed a new executive order that sets out stricter standards for all companies selling software to the government. It allows for easier information sharing between the government and private sector, mandates multi-factor authentication for the federal government, and also establishes a playbook for responding to cyber incidents.

All things that modern organisations should already do, but better late than never. Link.

🌐 Phishing Attack Disguises Malware as a Chrome Update

Victims of this attack received a text asking them to pay to get a package re-delivered - a very common phishing scam. But when victims clicked on the link they were taken to a webpage that asked them to "update" Chrome, when they clicked the update button they were actually downloading malware onto their phone.

Attackers finished off the attack by asking victims to pay $1 or $2 dollars to "release the package", but in reality, the attackers were just harvesting their credit card details for future use. Link

💵 TeaBot Banking Trojan

A new banking trojan going by the name of TeaBot has been seeing increased usage since March 2021. Teabot targets certain banks' users and intercepts their authentication codes and credentials. All whilst masquerading as media and delivery services like VLC Media Player and DHL. Link.

🕵️‍♀️ Tracking Users Across Browsers

Security researcher Konstantin Darutkin has discovered an unconventional way of tracking users across browsers. It abuses a feature known as custom URL schemes, these allow specific applications to open when you type in a URL. For example, if you have Skype installed and type skype:// into a browser a pop-up will appear asking if you want to open the link in Skype.

What the researcher was able to do was test a variety of different URL schemes and make a note of which generated a pop-up (where the application was installed) and which didn't. From there you can build up a profile of the user based on the applications they have installed. Whilst this won't be completely unique to every user, it's going to be pretty close - it's a really interesting and clever way to attempt tracking. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

🏠 Microsoft patched 55 vulnerabilities across all of its products in its May update. The most notable was a flaw that received a 9.8 CVSS score; it would've allowed an unauthenticated attacker to take over a user's computer by sending a specially crafted packet of data. Link.

📚 Adobe patched 43 vulnerabilities across 12 of its products. They disclosed a number of zero-day flaws in Adobe Reader that were being actively exploited. Technical details on all the vulnerabilities are yet to be released. Link.

🌐 Security Researcher Mathy Vanhoef published details of WiFi "Frag Attacks" that could allow malicious code to be injected into a WiFi network to steal user's details. When Mathy discovered the vulnerability 50% of routers were affected however over the past 9 months he's been working with most providers to created fixes for these flaws. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

🚗 Tesla's "full" self-driving mode is further off than Elon says. Self-driving is an immensely hard problem, and we've got a long way to go. Link.

📦 Apple's ATT and the removal of third-party cookies make online advertising increasingly hard, but who's benefitting? Amazon for one. Link.

🔎 With Apple's ATT now finally up and running how many users have chosen to enable inter-app tracking? Less than 15%... it's not a good month to be in advertising. Link.

🛒 Benedict Evans on all the questions that need answering about the future of the app store. Link.

💰 A Threatpost summary on how the ransomware economy operates. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Want to know about anything else I'm working on? Check out my personal site for links to everything I do.

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.