The Good, the Bad and the Ugly in Cybersecurity – Week 49

The Good

It’s been a great week for law enforcement. Just after we went to press last week, Interpol announced the arrest of over 1000 cyber criminals in an operation codenamed HAECHI-II (In Korea, Haechi is a popular mythical animal widely used as a symbol of justice).

Source

In raw arrests, that’s twice as successful as its predecessor, HAECHI-I earlier this year, which itself resulted in the arrest of 500 cyber fraudsters. The latest operation took place in twenty countries and intercepted $27m of illicit funds. Cyber cops also froze 2,350 bank accounts connected to various forms of online crime, including money laundering, investment fraud and romance scams.

Meanwhile, there have been welcome developments in a case we reported on back in October involving bulletproof hosting services aiding and abetting cybercrime. Prosecutors have now sentenced the third of four men indicted under RICO charges.

Aleksandr Grichishkin received a 5-year prison term for his role as a “founder and leader” of a gang that rented out IP addresses, servers and internet domains to spread malware such as Zeus, SpyEye, Citadel and the Blackhole Exploit Kit. Grichishkin’s sentence follows two- and four-year terms handed down to his co-conspirators. A fourth individual, Andrei Skvortsov, is yet to be sentenced. He faces a maximum penalty of 20 years.

The Bad

“Watch out for the quiet ones at the back” is a good adage in security in general, and when it comes to cybersecurity in particular, this means unnoticed devices like printers and IoT machines that can sit on our networks relatively forgotten in terms of endpoint protection.

This week, HP printers came to the forefront again as researchers disclosed details of flaws that could be used by attackers in remote as well as physical attacks. In one scenario, a user could be socially engineered to print out a malicious PDF containing an exploit for a font-parsing vulnerability. Just printing the document can give an attacker code execution rights, allowing data theft or lateral movement across the network.

Source

On top of that, one of the vulnerabilities found is wormable, meaning that compromising one printer on the network could lead to the compromise of any other connected devices that are vulnerable to the same bugs. Researchers say around 150 models of multi-function printers (MFPs) are affected. The flaws, tracked as CVE-2021-39237 and CVE-2021-39238, were patched last month by HP.

The disclosure follows SentinelLabs’ discovery in July of high severity flaws in HP, Samsung and Xerox printer drivers affecting millions of printers worldwide and which could allow unprivileged users to run code in kernel mode.

While exploitation of such attacks are by no means “low-hanging fruit”, the fact that network printers are often forgotten, unpatched and unprotected means they could present an attractive target for attackers. Ensuring you have visibility into everything connected to your network, particularly IoT devices like printers, is a must.

The Ugly

As the world continues to wrestle with the ongoing COVID-19 pandemic, threat actors have lost no time exploiting fears around the new Omicron variant in phishing lures.

This week’s egregious example involves an email scam purporting to come from the UK’s National Health Service offering recipients a free Omicron PCR test.

The email, which comes from a scam email address ([email protected]), contains a “Get it now” button with a link to a fake NHS website. According to UK consumer watchdog Which?, the site directs users to enter personal details including full name, date of birth, address and phone number.

The email also contains plenty of the usual scare tactics to encourage people to click through to the malicious website. “What happens if you decline a COVID-19 Omicron test?”, the email asks, and goes on to state that “…we warned that testing is in the best interests of themselves, friends, and family. People who do not consent…must be isolated”.

The fake NHS website looks convincing and includes reassurances about “protecting the privacy” of personal information.

Source

The “free” offer turns out to require victims to pay £1.24 for delivery of the phony test. The small amount of the charge serves both to add authenticity and to disguise the scammers’ real intent: gathering the payment details of the victims for account takeover, fraud, and identity theft.

Anyone suspecting that they may have fallen victim to the scam are advised to contact their bank immediately, cancel any cards used in the transaction, and to change account passwords. The Which? consumer service also provides help on how to retrieve money lost in a scam.