22nd April: Cyren Study shows little trust in E-mail Security ++ UEFI vulnerability in Lenovo consumer laptops detected ++ Lemon Duck Botnet exploits Docker APIs for Cryptomining

Cyren Study shows little trust in E-mail Security

Inbox protection provider Cyren published its 2022 Benchmarking Survey in cooperation with Ostermann Research. The study was conducted with Microsoft 365 business users. It shows that about 89% of participants suffered one or more e-mail attacks within the last 12 months. About 21.6 e-mail breaches per organization occurred, the number nearly doubled compared to a 2019 survey with similar questions. Costs of successful breaches range from about USD 311K per year for US companies and about GBP 107K per year for UK companies.

The attacks include:

  • Phishing (69% of respondents experienced this type of breach)
  • Microsoft 365 credential compromise (60%)
  • Spamming or email denial of service (DOS) attack (52%)
  • Ransomware (51%)

Most companies are concerned that current e-mail security solutions cannot block malicious mails and harm cannot easily be avoided. But is there really nothing you can do? There were also good news! The study shows that not only do half of the companies use automated email client plug-ins for users to report suspicious email. Also awareness campaigns seem to actually work: “Training more frequently reduces a range of threat markers among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” according to the report. Furthermore, employees that have undergone awareness trainings are more likely to report suspicious e-mails.

Reporting alone is not the answer, the e-mails also have to be properly analyzed in order to learn and to protect a network. According to the study, only about 22% of the companies do analyze the reported e-mails.  This makes it impossible to actually learn from the findings, as the users reporting the e-mails mostly do not receive any feedback. There are multiple tools that automatically analyze reported spam and give feedback to the users, alternatively that can of course be done manually.

So how can you protect your company better?

  • Raise awareness, train your employees and help them detect malicious e-mails before they click on anything
  • Use plugins that allow reporting of suspicious e-mails
  • Make sure reported e-mails are properly analyzed, either automatically or by experts
  • Do not only rely on Microsoft’s own mail security, use at least one more provider in order to reduce the amount of e-mails that actually reach their targets.

Most Email Security Approaches Fail to Block Common Threats | Threatpost
New Global Research Reveals that 90 Percent of Organizations Have Suffered One or More Successful Email Breaches in the Last 12 Months – Benzinga
IT Security: Office 365 Benchmarking Survey (cyren.com)
Cyren : New Global Research Reveals that 90 Percent of Organizations Have Suffered One or More Successful Email Breaches in the Last 12 Months | MarketScreener

UEFI vulnerability in Lenovo consumer laptops detected

The vulnerability has been discovered in more than 100 different models, impacting millions of users around the world. In remote-work and BYOD-times that does not only pose a thread to the user’s private data, it might also affect business networks if the laptop is used for work – according to older reports that might be up to 49% of American Work from Home users.

UEFI, Unified Extensible Firmware Interface, is software that links the OS to the firmware of a laptop. It is the first program to be started when a computer boots. Martin Smolár, the ESET analyst who identified the vulnerability: “UEFI threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed.”

The following three vulnerabilities are known so far:

A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

According to reports, the vulnerabilities have already been detected in October 2021. ESET worked closely with Lenovo after detection, who immediately began to work on patches for the laptops affected. A list of all devices can be found here: Lenovo Notebook BIOS Vulnerabilities – Lenovo Support RO

The first patches and updates are already available, with more to come in early May. Users are strongly advised to install available patches as soon as possible!

49% of employees still use their personal computers for work as hybrid landscape intensifies enterprise cyber threat | 2021-07-30 | Security Magazine
When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops | WeLiveSecurity
UEFI-Firmware: Lenovo warnt vor drei Sicherheitslücken – ComputerBase
Over 100 Lenovo Laptops Affected by Trio of UEFI Vulnerabilities | Tom’s Hardware (tomshardware.com)
Millions of Windows laptops infected with ‘unremovable’ malware – are you affected? | Express.co.uk

Lemon Duck Botnet exploits Docker APIs for Cryptomining

In an ongoing campaign, Lemon Duck Botnet exploits Docker API in order to mine cryptocurrencies. Crypto-mining is especially attractive for attackers as it is an easy, direct and relatively secure way to make money. “Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers,” said Manoj Ahuje, with Crowdstrike […]. “Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like Lemon Duck, which started targeting Docker for cryptomining on the Linux platform.”

Docker is a platform used for running container workloads in a cloud. The API provided support automation for developers and are a well-known tool. If the cloud instance is not properly configured, the APIs can be exposed to the internet – and leveraged by attackers. LemonDuck targets exposed Docker APIs for initial access. It runs a malicious container on an exposed Docker API, using a custom Docker ENTRYPOINT to download a “core.png” image file disguised as a bash script. Finally, LemonDuck’s “a.asp” file downloads XMRig and runs it as an “xr” file, which mines the cryptocurrency. Instead of mass scanning the public IP ranges for exploitable attack vectors, LemonDuck tries to move laterally. This is one of the reasons why this campaign wasn’t as obvious as other mining campaigns by other groups. Once SSH keys are found, the attacker uses them to log into the servers and run the malicious scripts.

Alibaba Cloud’s monitoring service monitors cloud instances for malicious activity once the agent is installed on a host or container. LemonDuck’s “a.asp” file has the ability to disable the Alibaba service to bypass cloud provider detection.

What can you do to protect yourself?

Docker servers hacked in ongoing cryptomining malware campaign (bleepingcomputer.com)
LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike
Crypto-Mining Botnet Goes After Misconfigured Docker APIs – Infosecurity Magazine (infosecurity-magazine.com)
Lemon Duck Botnet Targets Exposed Docker APIs | Decipher (duo.com)
LemonDuck zielt auf Docker | ZDNet.de

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.