Lokibot Malware on the Rise
LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets and other credentials. This malware is especially dangerous as it is able to steal credentials from password stores capture input (keylogging) and also functions as a backdoor into an infected system, allowing hackers the ability to install additional payloads (malware, trojans, ransomware, etc.).
“CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.”
Image: Malwarebytes (supplied)
CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, as well as network administrators consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should also review any configuration changes prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up to date.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Enforce multi-factor authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
- Enforce a strong password policy.
- Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on company workstations and servers.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavourable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
- Scan all software downloaded from the internet prior to executing.
Critical severity Windows patch alert – Zerologon (CVE-2020-1472)
The USA’s Homeland Security cybersecurity advisory unit issued an emergency alert to US government departments on 19 September 2020 after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows. The Cybersecurity and Infrastructure Security Agency (CISA), issued an alert requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack, citing an “unacceptable risk” to government networks.
The vulnerability, which was rated the maximum of 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers. The bug was dubbed “Zerologon,” because an attacker does NOT need to steal or use any network passwords to gain access to the domain controllers, only access to the network, such as by exploiting a vulnerable device. Needless to say, a hacker exploiting this vulnerability can do extensive damage to IT infrastructure.
The vulnerability is reported to affect all versions of Windows Server editions, backdating to Windows Server 2008 R2, which includes Windows 10 Server editions. Anyone running versions of the affected Windows operating systems should follow suit and patch immediately.
Experian Data Breach
Near the end of August 2020, Experian, a credit reporting company, reported a data breach exceeding 24 million records of personal information belonging to South African consumers and businesses.
The company initially claimed the leak was under control and later was forced to admit that the records had made their way to the internet. A whistle-blower also confirmed that the records had made it to the dark web. See the attached articles from BusinessInsider and BusinessTech on this topic.
Who is Experian? The following is from the Experian website:
“Hello, we are Experian South Africa. We unlock the power of data to create opportunities for people, business and society.
Our world is built on data. It’s all around us, growing in power and influence every day. We work to turn that data into something meaningful. We gather, analyse, combine and process it to help people and organisations achieve their goals – whether that means planning for a secure future or getting to know your customers better. We believe data has the power to change lives. By helping people and organisations make the most of their data, we can make a positive difference to our society and communities.” – Experian – About us
Cambridge Analytica was a similar the company that got entangled in a Facebook data breach back in 2018 which spurred up major concerns about how companies handle, and potentially misuse personal user data without the consent of the owners while turning a profit.
iAfrikan.com, a digital technology publications company, released an article called “Suspect in Experian Data Breach saga denies receiving any data” By Tefo Mohapi, in which they investigated and interviewed parties relating to the Experian Breach.
Suspect in Experian Data Breach saga denies receiving any data
“In this case, it is alleged that it was sometime in July 2020 when some Experian staff were following up on a payment totalling R2,212,919.99 that alarm bells were raised and the matter escalated. The amount being payment requested for Experian supplying Talis Holdings (allegedly Phungula) with 24 million consumer records and approximately 700,000 business records with banking details.”
The article by iAfrika provides insight into how Experian, and others, handle and distribute data and sets a good example of what not to do once the POPI act is fully implemented. The secure handling and distribution of personal data needs to be held at the highest priority for all companies within this sector, second only to consent to distribute from the owner. Once the data is exposed to the internet and other unintended parties, the parties that suffer most are the owners and not the company who suffered the breach. It is virtually impossible to contain a data leak of this nature and the 24 million records will forever circulate the internet and dark-web as long as there is profit to be made by people in black hats.