FBI: Phishing emails are spreading this sophisticated malware

Alert by the FBI and CISA warns that Trickbot - one of the most common and most powerful forms of malware around - is using a new trick in an effort to infect even more victims.

19th March 2021

A new spear-phishing campaign is attempting to infect PCs with Trickbot, one of the most prevalent and potent forms of malware around today, a joint advisory from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) has warned.

Trickbot started life as a banking trojan but has become one of the most powerful tools available to cybercriminals, who are able to lease out access to infected machines in order to deliver their own malware – including ransomware.

Now its authors are using a new tactic to attempt to deliver it to victims, warns the joint FBI and CISA alert – phishing emails that claim to contain proof of a traffic violation. The hope is that people are scared into opening the email to find out more.

The malicious email contains a link that sends users to a website hosted on a server compromised by the attackers that tells the victim to click on a photo to see proof. When they click the photo, they actually download a JavaScript file that, when opened, connects to a command and control server that will download Trickbot onto their system.

Trickbot creates a backdoor onto Windows machines, allowing the attackers to steal sensitive information including login credentials, while some versions of Trickbot are capable of spreading across entire networks.

The modular nature of Trickbot means it's highly customizable, with additional attacks by the malware known to include dropping further malware – such as Ryuk or Conti ransomware – or until recently, serving as a downloader for Emotet malware. Trickbot is also able to exploit infected machines for cryptomining.

A coalition of cybersecurity companies attempted to disrupt Trickbot in October last year, but the malware didn't stay quiet for long, with its cyber-criminal authors quickly able to resume their operations.

"The takedown efforts in October were unlikely to permanently disrupt or disable this very capable commodity malware that has been active on the threat landscape at scale for years. It has a strong infrastructure and the ability to continue operating," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.

"To completely remove Trickbot from the landscape would be extremely difficult and likely require a coordinated international law enforcement effort like we saw with Emotet. In fact, after the actions of October 2020, we saw Trickbot campaigns resume within weeks, and it has been active continually since," she added.

Trickbot remains a powerful tool for cybercriminals and a clear danger for enterprises and organizations of all sizes – but there are measures recommended by CISA and the FBI that can be taken in order to help protect networks from malware.

Providing social-engineering and phishing email training to employees can help them to avoid threats by being wary of certain types of messages.

Organizations should also be implementing a proper cybersecurity program with a formalized security patch management process, so cyberattacks can't exploit known vulnerabilities to gain a foothold on the network. It's also recommended that multi-factor authentication is applied across the enterprise, so malware that steals login credentials to move across the network can't do so as easily.

Your insecure Internet of Things devices are putting everyone at risk of attack

IoT devices are becoming more and more popular but many of the products people are installing don't come with adaquate security - and that's something cyber criminals can take advantage of.

19th March 2021

Insecure Internet of Things (IoT) devices are potentially putting society as a whole at risk from cyberattacks because cybercriminals are able to exploit these common products that haven't been designed with any form of security in mind.

IoT products have become a staple in many homes and places of work because they're perceived as helpful to everyday life.

However, many IoT devices get installed onto networks without proper security procedures in place, either because the user isn't aware of how to boost the security of the device – for example, by changing the password – or the device doesn't come with a password or options for securing it at all.

In some cases, IoT devices are leaking data onto the internet because the vendor hasn't properly configured security – whether by mistake, or because of a requirement to rush it out to the market without adding security by design. Either way, poor security in IoT devices can have major consequences.

"It's not even just the damage that it can cause to you from the exposure of your personal data; it's the damage it can cause to really our whole society," Craig Young, principal security researcher at Tripwire, told the ZDNet Security Update video series.

"When you look back at IoT botnets – Mirai, for example – they've demonstrated that if you pull together all of these devices, you have some substantial resources".

Mirai caused major issues in 2016 when IoT devices infected with malware were roped into a botnet targeting online infrastructure provider Dyn with a massive DDoS attack, knocking a number of major services offline.

Each individual IoT device only has a small amount of computing power, but an army of millions of devices all directing traffic towards a single target is a powerful tool for online disruption. And with so many IoT devices available and easy to find on the internet, it's something that cybercriminals are looking to exploit.

"What I do worry about is when you've got products that are little computers that are pulling down firmware updates from some company that can get hacked and has that firmware replaced with malware. That's the doomsday scenario," said Young.

"There's a lot of reason to believe that vendors really don't take that infrastructure seriously they're rushing out the door with features and not taking the time to lay the groundwork for security," he added.

And while there are initiatives designed at improving Internet of Things security, and information security researchers are attempting to find and disclose problems so they can be repaired, for now it remains an issue as insecure IoT devices are so readily available.

"There are so many different companies in the IoT space and there are not enough security researchers going out of their way to work with them and fix these things," said Young.

Users can try to help ensure the IoT devices they install on their network are secure by, when possible, buying products by vendors that are known and trustworthy, rather than a cheap product from a vendor you've never heard of before. Users should also ensure that, when possible, the device isn't secured with a default password.