Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

This week’s news roundup covers a new exploit on Microsoft Word, a lone Nigerian cybercriminal doing the work of many and the issues around ‘hacking back’.

Hackers Exploit Microsoft Word’s Auto-Updating Links Feature

Security consultant Xavier Mertens recently discovered an exploit in Microsoft Word that allows an attacker to potentially install spyware.
The ‘auto-update links’ feature on Word automatically updates any links to external sources like URLs and is enabled by default and does this without any prompt.
Mertens explained, “The infection vector was classic: The document (‘N_Order#xxxxx.docx with 5 random numbers) was received as an attachment and has a VT score of 12/59 this morning. The file has an embedded link to another document which is a malicious RTF file that tries to exploit the CVE 2017-0199”.
Our advice: keep you AV software updated!

APT-Style Attack Blamed on Lone Nigerian Cybercriminal

A recent cyber-attack that targeted more than 4,000 infrastructure companies is believed to originate from a lone Nigerian cybercriminal.
The campaign began in April 2017 and targeted organisations in the oil, gas, banking, construction and manufacturing industries. As the scale of the campaign was global and the businesses that were targeted are large international companies, this would give the impression that a gang or state-sponsored agency is behind it. However security researchers at Check Point have blamed the APT-style attack on a Nigerian individual who used phishing emails to obtain companies’ bank details, or trick employees into opening the malware-infected attachment.
The campaign resulted in 14 successful infections, resulting in thousands of dollars going to the criminal through a type of fraud known as ‘business email compromise’.
Maya Horowitz, threat intelligence group manager for Check Point, said:
“Even though this individual is using low-quality phishing emails, and generic malware which is easy to find online, his campaign has still been able to infect several organisations and target thousands more worldwide. It shows just how easy it is for a relatively unskilled hacker to launch a large-scale campaign that successfully breaches the defences of even large companies, enabling them to commit fraud”.
Many companies believe they will never fall victim to email fraud, however businesses may be targeted due to their size and reputation, or due to the clients they have.
If you would like to take action to prevent your organisation becoming the next victim of phishing scams, we would recommend carrying out phishing tests and training to better protect your finances, information, and people.

Hacking Back: ProtonMail vs x0rz

Hacking back is not a topic commonly covered in cyber security news due to its controversial (and potentially illegal) nature. However ProtonMail made headlines this week for retaliating against the hacker x0rz who impersonated the ProtonMail service through phishing emails.
On Wednesday morning, the security researcher going by the name of x0rz shared a series of screenshots via Twitter that allegedly showed someone sending emails that directed targets to a fake ProtonMail login screen which read, “You have an overdue invoice”.
ProtonMail responded to this by tweeting, “We also hacked the phishing site so the link is down now”. This tweet was then swiftly deleted, x0rz then posted a screenshot of the tweet before taking it down.
Depending on what actions ProtonMail carried out in retaliation, hacking back can be illegal as it could violate the Computer Fraud and Abuse Act, or possibly wiretapping legislation.
The phishing link is now not active, but this story is a handy reminder to companies of all sizes that phishing must be taken seriously. As sophisticated as the phishing email might be, it always relies on employees at the target company to click on the link or download the attachment. If you would like to test your employees’ phishing detection skills and train them on how to spot a phishing attempt, click here to find out more about our testing and training.

Trend Micro Discover Vulnerability in Connected Cars            

Security researchers have discovered a vulnerability in the internal network of connected cars that can be exploited while bypassing the auto industry’s first attempt at anti-hacking mechanisms.
Trend Micro published a blog post this week about an almost unnoticed car hacking technique that it presented at the DIVMA security conference in Germany last month in collaboration with researchers at LinkLayer Labs and the Polytechnic University of Milan. They note a security issue in the CAN protocol that car components use to communicate and send commands to each another within the car's network. This flaw would allow a hacker who has access to the car's internals to turn off key automated components, including safety mechanisms.
Federico Maggi, one of the Trend Micro researchers commented, "You could disable the air bags, the anti-lock brakes, or the door locks, and steal the car […] it’s practically impossible to detect at the moment with current technology”.
It is important to note however that this attack could not be considered a practical one as it is a DoS attack that turns off components rather than hijacking driving functions like accelerating, breaking or steering. Also it requires the hacker to already have initial access to the car’s network.

Microsoft Report: 300% Rise in User Attacks Since 2016      

Researchers at Microsoft detected a 300% increase in attacks on user accounts over the past year, along with a 44% rise in account log-in attempts from malicious IP addresses, according to Microsoft’s latest Security Intelligence Report (SIR).
As will come to no surprise to a great many, the majority of the account attacks were due to weak and easy to guess passwords. These passwords are expected to be used by hackers with users’ credentials on multiple websites as passwords are re-used so often.
If you would like some handy tips on how to create a secure (not easy to guess) password, click here to read our quick how-to guide.
What developments have you heard about in the world of InfoSec? Let us know your thoughts on the stories above on Facebook or LinkedIn, we'd love to hear from you!