ProxyLogon Updates 📧, US Cybersecurity Executive Order 🔐, Fleeceware apps make $400 million 💵

CyberLite Mar 30, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📰 News

Catching you up on everything important that happened this week…

🦊 Purple Fox Malware Automatically Spreads to Other Windows Computers

Purple Fox Malware has been on the rise with 90,000 infections being spotted since May 2020. Researchers from Guardicore analyzed the malware and found functionality to automatically search for vulnerable systems and infect them. Purple Fox searches for vulnerable services running on Windows computers like Server Message Block (SMB); this provides shared access to files and printers running on a network. Once it's found systems running vulnerable services it carries out a credential-stuffing attack to guess the password and gain access to the system.

The purpose of the Purple Fox Malware is to build a large botnet by infecting as many systems as possible. Previously Purple Fox relied on phishing emails alone to infect new victims, but developing other methods of infection will increase their success rate - we can expect to see other botnet operators following suit. Link.

📧 Microsoft Exchange Vulnerabilities Update

In some good news, Microsoft reported that 92% of Exchange Servers have now installed the patch that protects them from the set of vulnerabilities that have been dubbed ProxyLogon. For some background on these vulnerabilities check out a previous CyberLite issue. But we aren't in the clear yet as researchers have found automated scripts online allowing unskilled attackers to quickly exploit the vulnerabilities and take over a server. New strains of ransomware such as "DearCry" and "Black Kingdom" have also been found exploiting the vulnerabilities. Link.

🔐 New US Cybersecurity Executive Order

The US is eyeing up new cybersecurity requirements in response to the SolarWinds attacks. The Biden administration published a draft executive order detailing new cybersecurity measures. Software companies would be required to disclose any security issues and breaches to the government. The government would be required to keep a "software bill of materials" which would contain details of all the software currently used by the government. Finally, all vendors would have to keep extensive digital records and work with the FBI and Cybersecurity and Infrastructure Security Agency (CISA) when responding to security incidents. Link.

💸 Califonia State Controllers Office Suffers Phishing Attack

An employee of the California State Controller's Office (SCO) fell victim to a phishing attack this week which gave attackers access to the details of thousands of workers for over 24 hours. The California State Controller can be more easily thought of as the chief financial officer of the state - more than $100 billion in public funds is handled by the SCO each year. Attackers stole social security numbers and other personal details that they used to send carryout spear-phishing attacks on 9000 workers. Link.

📱 TikTok’s Privacy and Security is “Sufficient”

A security analysis of TikTok carried out by CitizenLab has concluded that the US version has sufficient measures in place to protect privacy and security. The report compared TikTok to Facebook and found no strong deviations in practice between the two companies. Link.

🤔 Facebook Uncovers Threat Actors Targetting Uyghurs

Facebook has uncovered a group of bad actors using the platform to target journalists and activists within the Uyghur community operating outside of China. These bad actors have been using Facebook to lure victims into installing surveillance software on their devices. The attacks are the suspected work of a threat actor known as Evil Eye who has also been responsible for creating malicious Android apps targetting Uyghurs. Link.

🧒 Fleeceware apps target children

Avast has carried out a survey of over 200 "fleeceware" applications and found that they’ve made $400 million in revenue primarily by targetting unsuspecting children. The apps offer a short trial period after which the subscription fees start coming in thick and fast. The highest fee that researchers found was $66 a week. Link.

🛢 Shell Suffer Cyberattack

Recently the Clop and FIN11 ransomware gangs have been exploiting organizations that are still using a vulnerable version of Accellion's File Transfer Appliance (FTA). Their victim this week was petrochemical giant Shell. Attackers were able to access files that Shell was transferring using FTA, but thankfully no other files were accessed. Link.

🛠 Hobby Lobby Leak Customer Data

A security researcher uncovered 300,000 Hobby Lobby customer records exposed in a publically accessible Amazon Web Services (AWS) database. Storing data in the cloud is generally more secure than storing it on your own servers, but you still need to set it up correctly... it isn't magic. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

📱 Google disclosed a zero-day memory corruption vulnerability affecting Android phones that use processors from Qualcomm (the large majority). The vulnerability required an attacker to have physical access to the device, or have already installed malware to gain remote access. Link.

🔓 A vulnerability in an older version of OpenSSL has been disclosed. Normally sites must have a valid certificate from a trusted certificate authority (CA) in order to communicate using OpenSSL. This vulnerability allowed sites without a trusted certificate to use OpenSSL and appear to users as if they were secure. OpenSSL is a software library that implements the Transport Layer Security (TLS) Protocol. If you want to get your head around TLS and CA's here's an explainer that I wrote for a previous issue. Link.

🍏 Apple patched a zero-day weakness in WebKit which runs across all of its operating systems and powers the Safari browser. The vulnerability could result in universal cross-site scripting (UXSS) attacks when processing maliciously crafted web content. Link.

⚡ General Electric's (GE) Universal Relay power management devices were affected by a slew of vulnerabilities this week. If exploited they would give attackers control over the flow and direction of electric power. Link.

🏫 Researchers discovered a vulnerability in the popular remote learning software Netop that allows teachers to control student's devices remotely. If exploited it would allow attackers to execute their own code and take over Windows computers. Vulnerabilities in software that provides remote access to systems are particularly scary. Link.

💻 Adobe has issued an unscheduled security update to fix a vulnerability in their ColdFusion platform that's used for building web applications. It could allow attackers to execute their own malicious code - but Adobe isn't aware of the vulnerabilities being exploited in the wild. Link.

🌐 Two vulnerabilities in the WordPress plugin Thrive Themes are being actively exploited. The more serious of the two would allow an attacker to overwrite a file on the website with their own malicious code. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

💵 A fantastic video from Mark Rober where he works with a bunch of other creators to send "glitterbombs" to online scammers. Whilst being a ton of fun this also gives you a look at how online banking scams make so much money. Link.

💡 Does your Lava lamp really need to be connected to the internet and have its own app... probably not. Here's an article from Todd Weaver about this frustration and how he hacked his own lava lamps to make them secure. Link.

🔫 Wired on the dire possibility of cyberattacks on weapons systems. Link.

💾 A deep dive into the economics of making processors from TechAltar. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.