Novel Attacks are Making Their Way to Social Media

Social media attacks

So many attacks use phishing and vulnerability exploits that it’s tempting to focus on email security and vulnerability patching.

However, attackers continuously develop novel attacks to trick employees and invade your systems. As a result, you always need to stay informed, prepared, and continuously monitor your systems for problems.

Let’s take a look at some of the latest cyberattacks plaguing businesses right now.

Social Media Attacks

Social media: where the world gathers to share photos of pets, families, and make inconsiderate comments to one another. But, it’s also a path to novel attacks, as well.

Recently, Vietnamese hackers created a spearphishing campaign, using LinkedIn communication, to deploy malware instead of email.

Here’s how it works.

First, attackers find employees that might manage Facebook business accounts, with LinkedIn job titles such as “digital media” or “digital marketing.”

Second, attackers engage through LinkedIn, persuading victims to download a malware-loaded executable file through DropBox or iCloud, modified to appear like a PDF file.

Next, the malware steals session cookies and system information from Chrome, Edge, Brave or Firefox to enable hijacking of Facebook business accounts. Finally, hackers add themselves as administrators with full privileges, redirecting payments or financing their own Facebook Ad campaigns.

While Telegram and Discord don’t share LinkedIn’s professional reputation, many employees use their communication capabilities for personal or professional purposes. Attackers also determined the content-delivery-network aspect of these tools can also effectively deliver malware.

In these social media attacks, threat actors use the platform to host malware on a site unlikely to be blocked, while others use bots to steal MFA codes to compromise other accounts. As with phishing attacks, endpoint detection should block or detect the launch of most executable files involved with these attacks.

However, if the attack doesn’t affect local systems, some security monitoring teams might overlook such activity. You should caution your IT security teams to watch for session cookie theft. Further, caution your employees that any social media communication, just like email, can contain a phishing attack.

Side Doors and Backdoors

If an attacker gains access to an endpoint, they’ll first want to establish an innocuous presence from which they can take further action.

One of these novel attacks occurs through the use of Qbot malware. The Qbot phishing attack tricks victims into installing malware, often disguised as a PDF. When opened, however, it  drops malware that hijacks the ubiquitous Windows Calculator, creating a side door into the system.

The phishing attacks deliver a password-protected .zip file that executes a DLL hijacking attack. This, in turn, causes Windows Calculator to launch the virus.

By executing through an innocuous Windows routine, many investigators may ignore the event and miss the attack until the malware loads more dangerous programs to the endpoint.

Attackers have also found a new method to hide backdoors into unpatched Microsoft Exchange servers using Internet Information Services (IIS) web server extensions. Although attackers still use web shells to deliver their payload, many security teams have learned to remove web shell backdoors.

But, attackers now add the IIS extensions to provide a more subtle backdoor to access email mailboxes, run commands remotely, and steal data from the server. Since few attackers use malicious IIS files, many security teams overlook their use.

As a result, Microsoft advises customers to mitigate these attacks by patching servers and restricting access to IIS virtual directories.

Supply chain attacks via malware
Are you vulnerable to supply chain attacks? Click the image to read more.

The Antivirus Bypass

The Amadey Bot, sometimes used by nation-state attackers like Russia’s TA505, delivers malicious software, such as remote access trojans (RATs) and ransomware.

A new variant of the bot avoids antivirus detection by hiding malware inside cracked software or the fake keys used to activate pirated software.

Once launched, the malware creates persistence by lodging itself as a startup folder and as a scheduled task. The malware also detects and actively bypasses 14 antivirus tools such as BitDefender, Sophos, and Windows Defender.

Of course, the Amadey Bot depends on users trying to install pirated software – something you shouldn’t do anyways.

Don’t try to save a few dollars by downloading pirated versions of the software you need. Always purchase your software through legitimate channels, with installation by someone you trust.

Your IT security teams should also monitor and flag any unauthorized software installations for deeper investigation.

What is PII and why does its security make such a big difference
Related: Personal information could be putting your business at risk (click image to learn more)

Counter Novel Attacks Through Consistency

Novel attacks can catch anyone by surprise, but even a successful technique requires attackers to execute the rest of their agenda.

Whether their goal is data exfiltration, ransomware, or a wiper attack, attackers still need to load other malware, navigate your network, and touch or transfer sensitive data.

A layered IT security strategy bolstered by continuous monitoring provides you multiple opportunities to catch attacks in action, limiting their impact.

Blue Bastion, along with the support of Ideal Integrations, can off you the protection you need. Just contact us at 412-349-6680, or fill out the form below, and our security experts will provide a no-obligation discussion on improving your cybersecurity.

As always, stay vigilant.

Secure Your Business With Blue Bastion - Contact Us Today!