Categories
APT Breach Bug Cyber Security Data leak DoppelPaymer Hacking Malware Phishing Ransomware Scam Spam Vulnerability

3M users install 28 malicious Chrome, Edge extensions, IMAP leveraged to infiltrate email accounts, and more

Major cybersecurity events on 17th December 2020 (Morning Post): IRS form fraud campaign targets G Suite users, affects 50,000 executives already. FireEye, GoDaddy, and Microsoft creates kill switch for SolarWinds backdoor. DoppelPaymer ransomware gang harasses victims who refuse to pay.

Round Up of Major Breaches and Scams

Three million users installed 28 malicious Chrome or Edge extensions

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today. But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. “For every redirection to a third party domain, the cybercriminals would receive a payment,” the company said.

Attackers Leverage IMAP to Infiltrate Email Accounts

Researchers believe cybercriminals are using a tool dubbed Email Appender to directly connect with compromised email accounts via IMAP. A newly detected wave of spam emails is bypassing transport layers and landing in mailboxes, Vade Secure researchers report. This campaign sent 300,000 spam messages to a single customer in one day and has been seen in France, Italy, Denmark, and the United States. Researchers suspect the attackers are using a tool called Email Appender, which is available on the Dark Web and can be used to connect with compromised email accounts via IMAP.

New IRS Form Fraud Campaign Targets G Suite Users

At least 50,000 executives have been affected so far. A new scam using an IRS form as its mechanism has been found targeting users of Google’s G Suite, with as many as 50,000 executives and “important” employees affected so far. The campaign, discovered and reported by researchers at Abnormal Security, claims to contain an IRS W-8BEN form in PDF format. The attached form asks for far more personal information than required on the actual W-8BEN, which is the form needed to maintain a nonresident tax-exemption status.

Trump Twitter Account Hacked, No Charges: Dutch Prosecutors

Dutch prosecutors Wednesday said a man had cracked US President Donald Trump’s Twitter account in October despite denials from Washington and the company, but added that the so-called “ethical hacker” would not face charges. The man, named as Victor Gevers in Dutch media, reportedly hacked into Trump’s account @realDonaldTrump by guessing his password on October 16, Dutch media reports said. Both the White House and Twitter have strenuously denied reports that the account had been hacked.

Emulated mobile devices used to steal millions from US, EU banks

Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices. While emulators are not malicious tools, the group behind this campaign used them for malicious purposes emulating compromised devices.

Round Up of Major Malware and Ransomware Incidents

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay

The US Federal Bureau of Investigations says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands. The incidents have been happening since February 2020, the FBI said in a PIN (private industry notification) alert, a type of security advisory the Bureau sends to the US private sector on a regular basis to inform them of the latest cyber-security developments.

Malicious RubyGems packages used in cryptocurrency supply chain attack

New malicious RubyGems packages have been discovered that are being used in a supply chain attack to steal cryptocurrency from unsuspecting users. RubyGems is a package manager for the Ruby programming language that allows developers to download and integrate code developed by other people into their programs. As anyone can upload a Gem to the RubyGems repository, it allows threat actors to upload malicious packages to the repository in the hopes that another developer will integrate it into their program.

Round Up of Major Vulnerabilities and Patches

FireEye, GoDaddy, and Microsoft created a kill switch for SolarWinds backdoor

Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was employed in the recent SolarWinds hack. Microsoft, FireEye, and GoDaddy have created a kill switch for the Sunburst backdoor that was used in SolarWinds supply chain attack. Last week, Russia-linked hackers breached SolarWinds, the attackers had used a trojanized SolarWinds Orion business software updates to distribute the backdoor tracked as SUNBURST (aka Solarigate (Microsoft)).

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6 and apply the necessary updates.