Round Up of Major Breaches and Scams
More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today. But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. “For every redirection to a third party domain, the cybercriminals would receive a payment,” the company said.
Researchers believe cybercriminals are using a tool dubbed Email Appender to directly connect with compromised email accounts via IMAP. A newly detected wave of spam emails is bypassing transport layers and landing in mailboxes, Vade Secure researchers report. This campaign sent 300,000 spam messages to a single customer in one day and has been seen in France, Italy, Denmark, and the United States. Researchers suspect the attackers are using a tool called Email Appender, which is available on the Dark Web and can be used to connect with compromised email accounts via IMAP.
At least 50,000 executives have been affected so far. A new scam using an IRS form as its mechanism has been found targeting users of Google’s G Suite, with as many as 50,000 executives and “important” employees affected so far. The campaign, discovered and reported by researchers at Abnormal Security, claims to contain an IRS W-8BEN form in PDF format. The attached form asks for far more personal information than required on the actual W-8BEN, which is the form needed to maintain a nonresident tax-exemption status.
Dutch prosecutors Wednesday said a man had cracked US President Donald Trump’s Twitter account in October despite denials from Washington and the company, but added that the so-called “ethical hacker” would not face charges. The man, named as Victor Gevers in Dutch media, reportedly hacked into Trump’s account @realDonaldTrump by guessing his password on October 16, Dutch media reports said. Both the White House and Twitter have strenuously denied reports that the account had been hacked.
Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices. While emulators are not malicious tools, the group behind this campaign used them for malicious purposes emulating compromised devices.
Round Up of Major Malware and Ransomware Incidents
The US Federal Bureau of Investigations says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands. The incidents have been happening since February 2020, the FBI said in a PIN (private industry notification) alert, a type of security advisory the Bureau sends to the US private sector on a regular basis to inform them of the latest cyber-security developments.
New malicious RubyGems packages have been discovered that are being used in a supply chain attack to steal cryptocurrency from unsuspecting users. RubyGems is a package manager for the Ruby programming language that allows developers to download and integrate code developed by other people into their programs. As anyone can upload a Gem to the RubyGems repository, it allows threat actors to upload malicious packages to the repository in the hopes that another developer will integrate it into their program.
Round Up of Major Vulnerabilities and Patches
Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was employed in the recent SolarWinds hack. Microsoft, FireEye, and GoDaddy have created a kill switch for the Sunburst backdoor that was used in SolarWinds supply chain attack. Last week, Russia-linked hackers breached SolarWinds, the attackers had used a trojanized SolarWinds Orion business software updates to distribute the backdoor tracked as SUNBURST (aka Solarigate (Microsoft)).
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6 and apply the necessary updates.