Barracuda

Security, Access and Reliability for Cloud-Connected Networks and Applications

Jonathan Tanner

Threat Spotlight: Ongoing “Sextortion” Scam Utilizes Breach Data

by

Cybercriminals are nothing if not creative and opportunistic. Major world events have been used as a premise for spam and phishing attempts countless times in the past. International money scams use premises from multi-million-dollar inheritances to stranded travelers to defraud more gullible and less security-conscious internet users. Mix in some personal information and (fake) blackmail, and you have one of the most recent major phishing campaigns and the subject of this month's Threat Spotlight.

Highlighted Threat:

Sextortion Scam – Attackers use passwords stolen in past data breaches to trick users into paying Bitcoin to avoid having a compromising video, which attacker claim to have recorded on the victim’s computer, shared with all their contacts.

In this Threat Spotlight, @Barracuda examines sextortion scams where attackers use passwords stolen in a past #databreach to trick users into paying to avoid having a compromising video released Click To Tweet

[Read more…] about Threat Spotlight: Ongoing “Sextortion” Scam Utilizes Breach Data

Threat Spotlight: Caught in the Wild—Millions of Phishing Attempts each Month try to Hook your Users

by

When Barracuda first opened shop as an email security company nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious—a lot has changed since then. Today, criminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defense is the human firewall.

The human what? You know, in a world where organizations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at HQ and everywhere else—the only thing between your company and a ransomware attack, could be whether or not your users click, or don’t click on a malicious link.

Let’s take a closer look at the types of phishing emails your users are up against each day, and what they can do to stay safe from creative cybercriminals.

[Read more…] about Threat Spotlight: Caught in the Wild—Millions of Phishing Attempts each Month try to Hook your Users

Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt

by

We’re closely tracking an alarming threat that’s currently aiming to take advantage of careless or untrained users in a possible effort to distribute ransomware and other forms of malware—here’s what we’ve found.

Highlighted Threat: Attackers are using a variety of techniques in an attempt to launch a Quant Loader trojan capable of distributing ransomware and password stealers.

The Details:

In the world of email, an unfamiliar file extension—especially one that is compressed alone in a ZIP file—is often a sure sign of a new malware outbreak. This was no exception when zipped Microsoft internet shortcut files with a “.url” file extension started showing up in emails claiming to be billing documents last month. These shortcut files use a variation on the CVE-2016-3353 proof-of-concept, containing links to JavaScript files (and more recently Windows Script Files). However, in this instance the URL was prefixed with “file://” rather than “http://” which fetches them over Samba rather than through a web browser. This has the benefit of executing the contained code using WScript under the current user's profile rather than requiring browser exploitation, although it does prompt the user before doing so. The remote script files are heavily obfuscated, but all result in downloading and running Quant Loader when allowed to execute.

[Read more…] about Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt

Threat Spotlight: Attached Password Stealer

by

Earlier this month we revealed a new security advisory platform — Barracuda Security Insight, which provides real-time threat intelligence and risk information to help raise awareness about the current IT security threat levels. One of the reasons we’re excited about the platform is because anyone with Internet access can use it as a way to check in on the different threats that might be lurking around the web.

For example, if we’re seeing an uptick in PDFs that contain malware, Barracuda Security Insight will flag this threat as a “critical alert,” with a description of the threat so people know what to avoid as they go about their day. For this month’s Threat Spotlight, we are taking a look at a recent “critical alert” that was flagged by Security Insight for attempting to steal user passwords by using attached Word or Excel documents that claim to be tax forms or other official documents. Cybercriminals regularly go after user passwords and credentials; however, we’re continuing to see criminals come up with clever ways to persuade users into sacrificing their sensitive information. Here’s what we found this time:

Highlighted Threat:

Password Stealers — Cybercriminals are using common attachment file types to steal user passwords.

[Read more…] about Threat Spotlight: Attached Password Stealer

NotPetya – Both More and Less than it Seems

by

This week has been abuzz with articles on the new Petya outbreak, now being commonly referred to as NotPetya. Initially, the new malware outbreak was observed to have many of the same characteristics of the Petya ransomware from last year as it rewrites the master boot record of victim's computer with a ransom note claiming that the disk has been encrypted and giving instructions on how to pay the ransom to recover files. Early on, differences in NotPetya were noted such as using a single email address as a point of contact rather than using the Tor network to facilitate ransom payment and recovery key distribution. On June 28th, https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b revealed that NotPetya is, in fact, a disk wiper and not ransomware, overwriting the disk in a way that is not reversible, likely much to the dismay of those infected.

Click here for larger image
[Read more…] about NotPetya – Both More and Less than it Seems

Fileception – Malicious Files Embedded in Other Files (Again)

by

Combining file formats is one of many techniques attackers use in an attempt to evade detection. One such instance I've already written about where JavaScript files were embedded into Microsoft Word documents . This previous technique was amidst a long-running and still ongoing campaign of JavaScript malware, simply leveraging the same payload in a new container to throw off detection systems. Shortly after the writing of the previous blog post, Microsoft Word document-based malware (typically with macros rather than JavaScript) was on the rise. Once again the same principle has been leveraged, this time encapsulating the macro-containing Word malware into Adobe Acrobat files (PDFs).

[Read more…] about Fileception – Malicious Files Embedded in Other Files (Again)

JavaScript Malware Gets a New Look

by

Since at least December 2015, JavaScript has been a popular attack method for email malware. The most common distribution method was as a heavily obfuscated JavaScript file inside of a ZIP file and outbreaks of this sort peaked during spring and early summer of 2016. Recently this sort of attack has subsided greatly and older-style Microsoft Word documents (OLE-encoded) with macros have seemed to become the preferred delivery method of email-based malware.

Recently, however, some malware samples were brought to my attention that were quite unique and yet all-too-familiar upon analysis. They were the newer OOXML version of Microsoft Word documents (commonly seen with the docx file extension, as they were in this case). As this file type is basically a ZIP file containing various other files, including XML as the type suggests, it was easy to extract the files and take a look. To my surprise, no macros were present in the document. In fact, the only noteworthy files were two OLE-encoded files which are most commonly used for embedding content from a different Microsoft Office application, such as a chart from an Excel spreadsheet. Using a common tool for analyzing OLE files on the first and larger of the two files led to an interesting find: something very reminiscent of our old friend, JavaScript.

[Read more…] about JavaScript Malware Gets a New Look