Another wave of cyberattacks loom on the horizon as WannaCry dies down. The newest threat targets victims using fully updated Google Chrome and Windows on the latest version of Google Chrome and steals login credentials. The Dataprise Security Operations team detected this attack and has put together the information below to spread awareness before any damage is done:
What did we discover?
Currently, the attacker directs the victim to download the .scf file by using phishing scams, malvertising, and other scamming methods. At times the .SCF file can automatically begin to download without the user realizing it. If a user downloads this malicious .SCF file, the download can create an authenticated connection to a Remote malicious SMB host, controlled by the hacker.
How does it work?
Once the user opens the folder containing that malicious file, the ransomware will automatically run to retrieve an icon. This can happen immediately after downloading. From there, the .SCF file tricks the automated authentication as it attempts to retrieve the icon image. This allows for the victim’s username and hashed password to be transferred, which leads to the attacker to use the credentials, authenticate the victim’s workstation, and gain full control of the workstation.
Will my Anti-Virus or Anti Malware detect this attack?
NO. To these programs, it appears to be a normal authentication.
What can you do?
- Block outbound SMB from the local network to the WAN via firewalls.
- Disable automatic downloads in Google Chrome by going to Chrome's Settings, selecting "Show advanced settings," and then selecting the "Ask where to save each file before downloading" option.
- Make sure all hardware and software is up-to-date, under warranty, and patched.
- DO NOT click on any links, emails, or attachments that look suspicious. Contact your support team if you are unsure about the legitimacy of emails.
- Train your employees on cybersecurity protocol.
The most important action to take is to have a security team in place to detect cyber incidents in real time and respond immediately. The peace of mind and higher defenses against increasingly widespread cyberattacks like WannaCry and this upcoming attack are invaluable.
If you are interested in safeguarding your business, contact Dataprise to speak with one of our experts at 1-888-519-8111.
More information regarding Dataprise Managed Security Services can be found here.