Emotet, MS Teams, Uber data breach – A summary

It’s been a few months since one of the most impactful and detrimental malwares ‘Emotet’ has resurfaced and this time as RaaS ( Ransomware as a Service) consumed by groups like Blackcat and Quantum. This action was shortly followed after Conti’s official retirement from the current threat landscape. Furthermore, MS Teams, a microsoft IM platform has been demonstrated to have a few vulnerabilities which can potentially be exploited by GIFshell. Finally, Uber attack has been on the news since the last few days. The Uber breach is definitely to be considered as one of the high profile attacks mainly as an individual’s card/payment and sensitive details are being saved with the Uber servers. Check this full article below containing a summary of the Emotet malware, possible MS teams exploitation and the final statistics towards the Uber breach

Source : Reference

A quick backdrop about Emotet – as a banking trojan in 2014, but updates added to it over time, have transformed the malware into a highly potent threat that’s capable of downloading other payloads onto the victim’s machine, which would allow the attacker to control it remotely. “From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat,” AdvIntel said in an advisory published last week. The notorious Conti ransomware gang may have dissolved, but several of its members remain as active as ever either as part of other ransomware crews like BlackCat and Hive or as independent groups focused on data extortion and other criminal endeavors. An interesting anecdote is that, according to Recorded Future “Conti affiliates use a variety of initial access vectors including phishing, compromised credentials, malware distribution, and exploiting vulnerabilities,” AdvIntel said it observed over 1,267,000 Emotet infections across the world since the start of the year, with activity peaks registered in February and March coinciding with Russia’s invasion of Ukraine. [Reference]

One of the popular conferencing tools MS teams has been shown to be prone to cyber attacks. The method called GIFshell has been demonstrated to potentially show the impact and Microsoft has acknowledged the vulnerability but not shown concerns for the patch to be released. Discovered by Bobby Rauch, the GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. This attack method requires a device or user that is already compromised. Microsoft is asserting that this technique is using legitimate features from the Teams platform and not something they can mitigate currently. [Reference]

The final segment of this article is the recent breach that has heads turned – Yes, the Uber breach. To summarize – an 18-year-old teenager, tricking an Uber employee into providing account access by social engineering the victim into accepting a multi-factor authentication (MFA) prompt that allowed the attacker to register their own device. Furthermore, It came under scrutiny for failing to properly disclose a 2016 data breach affecting 57 million riders and drivers, and ultimately paying off the hackers $100,000 to hide the breach. It became public knowledge only in late 2017. Upon gaining an initial foothold, the attacker found an internal network share that contained PowerShell scripts with privileged admin credentials, granting carte blanche access to other critical systems. These logs were put up for sale on September 12 and 14, which means that this was very fresh data, because the hack that utilized them was revealed from 15 to 16 September.”

The attacker’s motivations behind the breach are unclear, although a message posted by the hacker announcing the breach on Slack included a call for higher pay for Uber’s drivers. Episodes like those also are evidence that Time-primarily based totally One Time Password (TOTP) codes – commonly generated through authenticator apps or despatched as SMS messages – are insufficient at securing 2FA roadblocks. Such type of  attacks are going to persist till certain limitations and privileges are not addressed in terms of sending OTP prompts after a few attempts. One significant factor that remains to be persistent is that Cyber awareness is a pivotal factor to avoid such mishappenings and every organization immaterial of the size should take this seriously.

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of neuroscience and neurotechnology research from a security perspective. I love exploring various blog posts and share knowledge about the current threat landscape to instill more cybersecurity awareness.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: