THE TIBERIUM BLOG - recent events, threats, and all things cyber


Some of the unjustified and truly ancient at Tiberium HQ are so old that they know Morse Code. Several have actually passed tests in it and used it in either fear/anger or from the comfort of their floating Gin Palace.  

Seems that Phishing/Hacking gangs or at least one of them have been using (amongst other techniques) none other than Morse Code to encode and exfiltrate credit card details from infected machines.  

In these days of Machine Learning and Artificial Intelligence-driven endpoint and traffic analysis algorithms, it is extremely unlikely that Morse Code would be identified as the carrier of data from a malware. So hats off to Microsoft for “disclosing details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials”. 

Whatever next? We suppose a code is a code and wait for the Enigma variations of the same Malware around the corner. 

The point is this; As detection strategies and technology become more complex, an obvious route for criminals is to go simple. For instance, the one-time pad is still used in places, often dangerous.  We have been interested in one-time pad automated implementations for some time and can only assume that the bad guys are too. More on this in a white paper to follow. 

The aforementioned Phishing campaigns are disguised as invoices that are just believable enough and just shocking enough to make even the hardiest of punters reach for the click. Very, very clever.  

User education remains key to avoiding exploit in the first place. We recommend a continuous education programme and testing with mock phishing emails supported by continuous education and never, ever pointing of fingers.  

Detection and response against this sort of activity must be automated. This is why Tiberium’s  (UK MSSP) managed Security Services FROST and MYTHIC take automated action following detection.

Apply these mitigations to reduce the impact of this threat:

  • Use Office 365 mail flow rules or Group Policy for Outlook to strip .html or .htm or other file types that are not required for business. Check your Office 365 antispam policy and your mail flow rules for allowed senders, domains, and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations—Office 365 honors these settings and can let potentially harmful messages pass through. Review system overrides in threat explorer to determine why attack messages have reached recipient mailboxes.
  • Turn on Safe Attachments policies to check attachments to inbound email. Enable Safe Links protection for users with zero-hour auto purge to remove emails when a URL gets weaponized post-delivery.
  • Avoid password reuse between accounts and use multi-factor authentication (MFA), such as Windows Hello, internally on high-value systems. In addition, always enable MFA for privileged accounts and apply risk-based MFA for regular ones. Finally, require MFA for local device access, remote desktop protocol access/connections through VPN and Outlook Web Access. These steps limit the value of harvested credentials, as well as mitigate internal traversal after credential compromise and further brute-force attempts made by using credentials from infected hosts.
  • Educate end users on consent phishing tactics as part of security or phishing awareness training. Training should include checks for poor spelling and grammar in phishing mails or the application’s consent screen, as well as spoofed app names and domain URLs, that are made to appear to come from legitimate applications or companies.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.

Advanced hunting

To locate specific attachments related to this campaign, run the following query:

// Searches for email attachments with a specific file name extension xls.html/xslx.html
| where FileType has "html"
| where FileName endswith_cs "._xslx.hTML" or FileName endswith_cs "_xls.HtMl" or FileName endswith_cs "._xls_x.h_T_M_L" or FileName endswith_cs "_xls.htML" or FileName endswith_cs "xls.htM" or FileName endswith_cs "xslx.HTML" or FileName endswith_cs "xls.HTML" or FileName endswith_cs "._xsl_x.hTML"
| join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| where EmailDirection == "Inbound"

Frost and Mythic

Regular readers with intact memories might recall us warning about the PrintNightmare (it has a name and a logo. It is a serious) issue which is easily exploited thanks to researchers publishing the exploit code. Turns out that this is now being seriously exploited by at least two RansomWare gangs

If you run a network, are responsible for servers, have confidential data, are on a Board of Directors with GDPR responsibility, you should be very worried about this. Here is some advice about what to do, and please do it as soon as you can: 

  • Board Director/CISO: Ask Your IT department if they have patched the PrintNightmare issue.
  • CIO: Make sure CVE-2021-1675 / CVE-2021-34527 is patched. Check vulnerability management reports. Keep checking, report daily at least.
  • Operations: Identify vulnerable devices and patch CVE-2021-1675 / CVE-2021-34527. Now!
  • Service providers: Patch and report risk and outstanding vulnerable devices to your customers. Daily at least. 

If you are technical and want to understand how this works and just how dangerous it is, look no further than this excellent article by Cisco Talos Threat Intelligence Research Team

As we pointed out in our prior blog, Microsoft’s Defender For Identity protects against this very attack, but we understand that not everyone has this up and running.  

Tiberium would love the opportunity to discuss our managed services with you or provide you with some advice and maybe some consultancy about how to move to best practice and also how to maximise your investment in Microsoft Technology.  

We absolutely love talking security. If you do too, contact us. Online, In the office, In Pub or Cafe. The choice is yours.  

Now the song, and a prize-winning opportunity! 

SOS was Abba’s third single and had a working title of ‘Turn Me On’. We could now be really cheesy and say something about all the security stuff available to you in your current licensed Microsoft products that are not turned on. But that would be beneath us. Honest. 

Would you like to win a Raspberry Pi with a case and a fan? (Kali Linux Installed if you like)? Of course, you would.  

The first correct answer wins: 

…- –. -. / …. — ..- -.. — … -.. -.-. / .-.. -. –.- .-. -.. / -… -. -.-. -.. 

Blog subscription banner
Share on: