In the Know - Cyber Security update - Week of June 26th 2017
Eric Brown 07/03/2017
3 Minutes
1.  Blank Slate Ransomware CampaigniStock-518729653 (1).jpg

Empty email messages that don’t have a body, but contain an attachment are something to be mindful of.  If this type of email makes it through your spam and malware filters its best to delete it right away.   However, a new Blank Slate campaign has emerged which contains a Microsoft-themed email body.  The email suggests that your Microsoft account was just logged into and that if you didn’t do so then you should click on a link to report that you didn’t login.   Once you click on the link it will download a zip file which containing javascript which leads to crypto ransomware.

Paloalto networks describes the infection chain like this:
  • Attacker’s botnet sends malspam to the intended recipient.
  • User ignores security warnings and opens the zip archive included in the malspam.
  • User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file.
  • User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file.
  • Word macro or .js file retrieves a ransomware executable from a web server.
  • Word macro or .js file executes the ransomware on the user’s computer in the user’s security context.

Here is a informative writeup on Blank Slate emails by Brad at the Internet Storm Center:

2.  A carefully crafted phishing email scams 19 Boston Public School staff members out of $40,000.
Malicious actors used previously obtained employee IDs and email addresses to phish several Boston Public School employees.  The scammers phished the BPS employees by sending an email that appeared to come from their technology department with instructions to verify their account information. 

Once the employees who fell for the phishing attack followed the instructions in the email to verify their account information, the scammer could log into the account and edit banking information to re-direct direct deposits to another account.

The city of Boston will be reissuing checks to the affected employees.

3.  NotPetya – a Wiper, not Ransomware

NotPetya is a global variant of malware that seeks to destroy systems by irrecoverably encrypting them.  The malware uses several sophisticated tools to move through a network, including NSA stolen EternalBlue and EternalRomance SMB exploits.  In general, it seeks to gain administrator access on a machine and then leverage a privileged state to infect other machines on the same network. 

This is a bad one and patching alone won’t protect vulnerable computers.  Other prevention methods include an up-to-date antimalware solution, disabling SMBv1, blocking outside access to ports 137, 138, 139 and 445, and limiting the control local administrators have on the network.

4.  Your new internet connected refrigerator could be involved in a cyber-attack right now. 
Internet connected devices, often referred to as IOT (Internet of things) devices, are coming online at an explosive rate.  One research firm, Statista, projects the number of connected devices to grow to 75 billion by 2025.  That’s enough for every single person on the planet to have 9 internet connected devices (projected world population of 8B in 2025).

Many IOT devices connected to the internet still have the default usernames and passwords that were shipped with the device.  Last year the Mira malware took control of unsecured IOT devices to build botnets.  These botnets were responsible for creating a large scale attack against a DNS provider and a service provider that resulted in knocking several large websites offline.  Services affected by the attack included Airbnb,, BBC, Netflix, PayPal, Reddit, Xbox Live, and dozens of others.

While regulators work out how to make IOT devices more secure out of the box, you can take steps to secure your own devices by making sure that the default passwords are changed, and not connecting devices to your network if the online features won’t be used.

5.  Android malware posing as Adobe Flash Player Update

An evolution of Marcher, a banking malware that steals banking credentials and credit card details, is back.  This time payloads are disguised as Adobe Flash Player files.  After opening the malicious dropper URL, the user will be prompted with a message stating that the device’s Flash Player is out of date and that “Adobe_Flash_2016.apk” will be downloaded to the user’s device.

Once the malware is installed it waits for the user to open an app from its targeted list (currently 40 financial apps).  When the app is opened, the malware overlays a fake login page to capture credentials.

If you have an android phone, ensure you only download apps from a legitimate app store (Google, Amazon, Samsung, etc.).  Having an up-to-date anti-malware program can also help keep your device protected.

Zscaler provides a list of the 40 financial apps targeted by the Marcher variant:


Related Posts

It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout.

Cole Goebel 26 March, 2024

Why Your Cybersecurity's Biggest Risk Likes Coffee Breaks: The Human Element

Discover how the human element can be the biggest threat to cybersecurity and how tools like…

Matt Kanaskie 16 January, 2024

Minnesota’s Whole of State Cyber Security Plan

The state of Minnesota has delivered, alongside some bitter cold, a new initiative aimed at helping…