Cyber Security Headlines – November 19, 2021

PerSwaysion phishing campaign still ongoing, and pervasive

A phishing kit that has been used in thousands of attacks worldwide has been active for significantly longer than previously thought — and it continues to pose a potent threat to organizations across multiple sectors, new analysis shows. The kit, named PerSwaysion, is designed to give cybercriminals a way to launch a phishing campaign relatively easily and with little up-front effort. The most notable aspect about the threat is its use of Microsoft file-sharing services such as Sway, SharePoint, and OneNote, to lure users to credential-stealing sites. The scheme involves potential victims receiving a well-crafted spear-phishing email with a non-malicious PDF attachment purporting to be a Microsoft file-sharing notification.

(DarkReading)

FBI: FatPipe VPN zero-day exploited by APT for 6 months

A threat actor has been exploiting a zero-day vulnerability in FatPipe’s virtual private network (VPN) devices as a way to breach companies and gain access to their internal networks, since at least May, the FBI has warned. The bug — patched this week — is found in the device software for FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing and reliability device for VPNs. The products are all types of servers that are installed at network perimeters and used to give employees remote access to internal apps via the internet, serving as part network gateways, part firewalls. According to the alert, the flaw allowed advanced persistent threat (APT) actors to exploit a file upload function in the device’s firmware to install a webshell with root access, which led to elevated privileges.

(ThreatPost)

RedCurl corporate espionage hackers resume attacks with updated tools

RedCurl is a crew of highly-skilled hackers specialized in corporate espionage has resumed activity. The group attacked a large wholesale company in Russia twice this year, each time using carefully constructed spear-phishing emails with initial-stage malware. Active since 2018, RedCurl is responsible for at least 30 attacks against businesses in Russia, Ukraine, Canada, Norway, the UK, and Germany, the latest four of them occurring this year. They are proficient at staying undetected for long periods, between two and six months, before stealing corporate data (staff records, documents about legal entities, court records, internal files, email history).

(Bleeping Computer)

Microsoft: Iranian state hackers increasingly target IT sector

Microsoft says Iranian-backed hacking groups have increasingly attempted to compromise IT services companies this year to steal credentials they could use to breach the systems of downstream clients. According to security analysts at Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU), this activity is part of a wider espionage objective to compromise entities of interest to the Iranian regime. “This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain,” Microsoft said.

(Bleeping Computer)

Thanks to our episode sponsor, Vulcan Cyber

The fact that CISA felt the need to release the massive “Known Exploited Vulnerabilities Catalog” recently says everything we need to know about the state of our collective cyber debt. Attend the Vulcan Cyber virtual summit on December 9th and learn how your peers are working to take on cyber risk and mitigate known vulnerabilities at scale. Go to vulcan.io and click the button at the top of the screen to register for the event.

4 in 10 organizations do not employ a CISO: report

A recent analysis from cybersecurity solutions provider Navisite revealed that over 45% of organizations don’t employ a Chief Information Security Officer (CISO). Of this group, 58% think their company should hire a CISO. Included in the report’s findings: 21% of respondents admit their company does not have a dedicated person or staff whose sole responsibility is cybersecurity, while 75% of respondents said their company experienced an increase in overall cybersecurity threat volume in the last year.

(CISOMag)

Apple sets Feb. 1 for return to office

Apple will let employees work for up to four weeks remotely each year as the company prepares for a gradual return to offices in 2022, according to a memo sent to staff on Thursday by CEO Tim Cook. Apple wants staff to return to offices on Feb. 1 to begin a “hybrid work pilot”, under which employees will work out of the office for one or two days each week. From March, those employees will then be at work Monday, Tuesday and Thursday, and from home on Wednesday and Friday. There are a number of teams at Apple which will not be part of the pilot due to their work requiring “a greater need to work in-person”.

(The Information)

Spear-phishing campaign exploits Glitch platform to steal credentials

A long-term spear-phishing campaign is targeting employees of major corporations with emails containing PDFs that link to short-lived Glitch apps hosting credential-harvesting SharePoint phishing pages, researchers have found. Glitch is a Web-based project-management tool with a built-in code editor for running and hosting software projects ranging from simple websites to large applications. The campaign appears to be targeting only employees working in the Middle East as “a single campaign” in a series of similar, SharePoint-themed phishing scams, Anderson wrote.

(ThreatPost)

2021’s most common passwords revealed

On Wednesday, Nordpass published its annual study of password use across 50 countries, the “Most Common Passwords” report, an evaluation of a database containing 4TB of leaked passwords, many of which originated from the US, Canada, Russia, Australia, and Europe. Of the top 10 most common passwords in 2021, 7 of them were variations on 1234567, with the other three being 111111, qwerty, and the word, password. The researchers also found that a “stunning” number of people like to use their own name as a password. They suggest that many businesses still do not impose the same password security standards as online providers. In addition, ghost and forgotten accounts, hardcoded credentials, and the re-use of username and password combinations are still common problems.

(ZDNet)