New FileFix attack uses cache smuggling to evade security software

(Image from Google Gemini.)

BLUF: Threat actors are using a sophisticated variant of the FileFix social engineering attack, known as cache smuggling. It plants malicious ZIP archives in a victim’s browser cache. This enables execution of malware while bypassing security software checks for active file downloads or web requests.

The new FileFix campaign lures victims with a spoofed tool such as “Fortinet VPN Compliance Checker.” The user is told to copy a seemingly innocuous network file path and paste it into the Windows File Explorer address bar.

However, the text copied to the clipboard is heavily padded with spaces, concealing a malicious PowerShell command that is executed in headless mode when the user presses Enter.

The principle behind the attack is ‘cache smuggling’. When the user accesses the phishing page for the first time, JavaScript requests the browser to fetch a payload which has been disguised as a legitimate JPEG image. The browser caches this file, which actually contains a malicious ZIP archive.

The PowerShell script scans the local browser cache, extracts the hidden archive, and launches the malware from the local system without initiating any new web requests.

This method circumvents established security programmes that monitor network traffic or file downloads. The technique is being rapidly adopted by various threat actors, including ransomware gangs.

Action points

  • It is critically important to never copy and paste text or commands provided by an external website into operating system dialogue boxes, terminal windows, or address bars.
  • Organisationally, Endpoint Detection and Response (EDR) capabilities should be used that look for PowerShell scripts interacting with or manipulating browser cache files, or which execute in a hidden (headless) manner. These are clear indicators of this attack vector.
  • Browsers and security software should restrict or audit the automatic execution of files retrieved from the browser cache by command-line utilities.
  • Consider implementing’zero trust’ security policies that limit the execution of unrecognised executable files, even if they originate from what appears to be a local path, such as the extracted file from the cache.

Read more here.

Yearbook phishing campaign

by Morgan Brazier

A moderately sophisticated phishing campaign has been observed targeting multiple universities including Bournemouth University, Brighton and Warwick.

The email and subsequent registration portal masquerades as a university yearbook to harvest personally identifiable information (PII) and card details, tricking users into submitting payment and sensitive information by creating convincing emails already containing their first name and university.

Similar campaigns have been seen this time last year from different domains.

If you have been affected by this phishing campaign it is recommended you report the incident to both Action Fraud and the BU IT help desk:

https://www.actionfraud.police.uk

https://www.bournemouth.ac.uk/news/2019-03-04/contacting-it-service-desk

‘CovidLock’ Exploits Coronavirus Fears With Bitcoin Ransomware

From cointelegraph.com

Opportunistic hackers are increasingly seeking to dupe victims using websites or applications purporting to provide information or services pertaining to coronavirus.

Cybersecurity threat researchers, DomainTools, have identified that the website coronavirusapp.site facilitates the installation of a new ransomware called “CovidLock.”

The website prompts its visitors to install an Android application that purportedly tracks updates regarding the spread of COVID-19, claiming to notify users when an individual infected with coronavirus is in their vicinity using heatmap visuals.

Read more…

Elevated phishing activity at BU

For the past couple of days BU has been targeted through spear phishing emails. Users should be alert on any emails coming from student accounts with a subject related to academic activities (projects, guest lecturers, etc.)

TV licensing suffers data breach

Following this statement from tvlicensing.co.uk, customers who used their services to pay for their tv licensing fees between 29 August until around 3.20pm on 5 September 2018 may have their details compromised. The company reports that this was due to a technical update and during that period the transactions were not as secure as intended.

Weakness in WhatsApp Enables Large-Scale Social Engineering

From darkreading.com

Researchers at Check Point Software Technologies say they have discovered a dangerous weakness in the WhatsApp messaging app that gives threat actors a way to manipulate content in private and group conversations on the platform without raising any red flags.

The security vendor this week published a report demonstrating how an adversary could exploit the issue to change the identity of a message sender, alter the text of message replies, and send private messages spoofed as a public message to individual participants in a group.

More information here

Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email

From securityaffairs.co

Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

If you are one of the users of the email encryption tools Pretty Good Privacy and S/MIME there is an important warning for you.

A group of European security expert has discovered a set of critical vulnerabilities in PGP and S/Mime encryption tools that could reveal your encrypted emails in plain text, also the ones you sent in the past.

More information here