Alert to Linux administrators, attack on Outlook and crooks cashing in on online games
Welcome to Cyber Security Today. It’s Friday August 28th I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Attention administrators of Linux systems: Security researchers at Sophos Labs have discovered a new campaign to infect Linux servers with software that secretly uses the computer power to make money for criminals by mining for cryptocurrency. This gang, which Sophos calls Lemon Duck, starts by hacking desktop computers at companies through infected emails with COVID-19 themes. Once infected, if the victim uses Microsoft Outlook the malware copies and steals contact lists so it can email those people with infected messages. The interesting thing about this campaign is the titles of the email messages can be changed automatically from something like “The Truth of COVID” to “Health Advisory Coronavirus” and others. That way people around the world can’t look for just one suspicious message. Ultimately what the latest malware hunts for are Linux servers. It breaks into them through a brute force attack — that is, it tries combinations of a common administrators’ username called “root” with a long list of commonly-used stolen passwords. Then in can install the cryptomining software. Bottom line: This attack can be stopped in several ways: First, be on the lookout for email scams. Don’t always trust a message just because it came from someone you know. Second, administrators need to make sure Windows systems have the latest security updates. This attack looks for vulnerable Windows systems. And third, Linux administrators need to make sure the default username is changed from “root” and passwords of users are unique.
Researchers at Check Point Software have discovered a new attack campaign from a group running the QBot banking trojan. For over a decade this malware has been stealing bank passwords from victims. Sometimes it gets included by other malware groups as part of their infection process. This is what Check Point has seen. Earlier this month the QBot malware resurfaced after a short rest. One of its new capabilities is copying and stealing email threads from users of Microsoft Outlook. These stolen email addresses are then used to send infected messages to more victims. Again, these messages may use a COVID theme as well as phony tax payment reminders and job recruitment offers. Most of the attacks were aimed at organizations in the U.S. Canada, the United Kingdom, Germany, Italy, Israel and India. IT departments and security teams have to watch for and inspect emails with suspicious attachments.
There’s money for cybercriminals in ransomware, in draining money from banks, in stolen credit card numbers, and in certain online games. One of them is Fortnite. According to a report this week from researchers at Night Lion Security, one of the most profitable schemes for crooks involves stolen usernames and passwords for Fortnite accounts. Why? Because Fortnite users can earn what are called V-bucks from playing. And V-bucks can be used to buy tools for characters in the game, which can make winning easier. The scheme starts with crooks stealing as many usernames and passwords as they can from companies, then testing combinations against Fortnite to find valid logins. This works because many people are foolish enough to use the same password for many logins, or easily-guessed variations of the same password. Then the valid usernames and passwords are put up for sale. The more information about the user — like their email address — the more valuable the account. In addition, accounts of Fortnite players who create character costumes called skins are even more valuable. The report says a skin can sell for between $2,500 and $10,000. Fortnite isn’t the only online game where stolen accounts are valuable. So is Roblox, Runescape and Minecraft. The report estimates the entire hacked video game market is worth a billion dollars a year. The lesson here is don’t use the same or variations of the same password for important accounts. And wherever possible add to security by using two-factor authentication to logins.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.