APT Breach CVE Cyber Security Malware Phishing Ransomware RAT Spyware TrickBot Trojan Vulnerability

9M CDEC Express customers data leaked, MagBo sells access to 43,000 servers, Microsoft 365 sign-in pages spoofed, and more

Major cybersecurity events on 14th May 2020: Iran hackers attempt to interfere in the 2014 Scottish Independence referendum. City Index reports intrusion and a potential data breach in a notification to its users. Hacker selling 550 million stolen user records on hacking forum.

Round Up of Major Breaches and Scams

Iran hackers interfered in Scottish independence vote

In a report produced for Facebook, an analysis firm said that Iranian hackers attempted to interfere in the 2014 Scottish independence referendum in favor of those wanting to leave in an attempt to break up the UK. The report said “covert assets” linked to Iran’s state broadcaster ran fake Facebook pages that produced memes, cartoons, and propaganda to bolster the pro-independence movement.

City Index Reports Intrusion and Potential Data Breach

In a notification sent to users on May 8, City Index said that its network “was accessed by an unauthorized third party and client personal data may have been viewed.” Upon discovering the incident, it said it “shut down access to the server concerned and launched a full forensic investigation.” The incident took place on April 14.

Data of 9 million customers of the Russian courier service CDEK leaked

Data belonging to nine million customers of the CDEC Express transportation service was put up for sale on the Web for 70 thousand rubles ($950). This is the largest leak of personal data in Russian delivery services

China Rejects US Claim of Attempted Vaccine Theft as ‘Smearing’

The claims have added fuel to tensions between the global superpowers, who have traded barbs over the origin of the pandemic that has killed 300,000 people. US authorities said Wednesday that Chinese hackers were trying to obtain coronavirus data on treatments and vaccines, warning the effort involved Chinese government-affiliated groups and others.

BEC Gang Exploits G Suite, Long Domain Names in Cyberattacks

Business email compromise (BEC) attacks continue to be a thorn in companies’ sides, with the FBI in its IC3 annual cybercrime report saying that the attacks cost victims $1.7 billion in 2019. Making matters worse, BEC cybergangs are turning to new tactics and tricks to avoid detection and capitalize on existing victims.

A cybercrime store is selling access to more than 43,000 hacked servers

MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018. Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.

Wright County notifies residents of 2019 email hack; COVID-19 response somewhat delayed notification

On Jan. 31, 2019, Wright County discovered unusual activity in an individual email account in the Wright County system (not the entire network or database). The county took immediate action, securing the email network and hiring a third-party computer forensics expert to conduct an investigation to determine whether personal information was involved.

New Microsoft 365 sign-in pages already spoofed for phishing

Microsoft says that attackers have already adapted their phishing campaigns to use the newly updated design for Azure AD and Microsoft 365 sign-in pages. “Office 365 ATP data shows that attackers have started to spoof the new Azure AD sign-in page in multiple phishing campaigns,” Microsoft tweeted earlier. “We have so far seen several dozens of phishing sites used in these campaigns.”

Identity Breaches at 79% of Organizations

New research published today by the Identity Defined Security Alliance (IDSA) has revealed that 79% of organizations have experienced an identity-related security breach in the last two years.

Hacker selling 550 million stolen user records on hacking forum

A threat actor is selling twenty-nine databases on a hacker forum that allegedly contains a combined total of 550 million stolen user records. The actor began selling these databases on May 7th, when they posted them on a well-known hacker where threat actors can buy each one individually.

Scammers steal $10 million from Norfund, the largest sovereign wealth fund

Thieves spent months inside the networks of the world’s largest sovereign wealth fund before stealing $10 million in what the enterprise is describing as “a serious case of fraud.” The Norwegian Investment Fund, more commonly known as Norfund, announced Wednesday that scammers stole £8.2 million ($10 million) by spoofing an email address, then fabricating payment information and directing cash into their own account.

Round Up of Major Malware and Ransomware Incidents

COVID19 Hospital Construction Firms Hit by Cyber-Attacks

Two construction firms that helped to build emergency hospitals to cope with the COVID-19 pandemic have been attacked by separate cyber-attacks, it has emerged. Bam Construct, which worked on the Yorkshire and Humber hospital, appears to have fallen victim to a ransomware attack, whilst Interserve, which worked on Birmingham’s NHS Nightingale, may have suffered a major data breach.

UK electricity middleman hit by cyber-attack

Elexon, a crucial middleman in the UK power grid network, reported that it fell victim to a cyber-attack earlier today. In a short message posted on its website, the company said the incident only impacted its internal IT network and employee laptops. The company didn’t specify the nature of the cyber-attack, but experts believe this is a ransomware incident due to the destructive nature of the attack.

Innovative Spy Trojan Targets European Diplomatic Targets

A fresh malware trojan has emerged, built from the same code base as the stealthy COMPFun remote access trojan (RAT). The malware is using spoofed visa applications to hit diplomatic targets in Europe and may be the work of the Turla APT.

ProLock Ransomware teams up with QakBot trojan for network access

ProLock is a relatively new malware on the ransomware  scene but has quickly attracted attention by targeting businesses and local governments and demanding huge ransoms for file decryption. Its most recent victim is Diebold Nixdorf, mostly known for providing automated teller machines (ATMs).

Round Up of Major Vulnerabilities and Patches

Flaw in WordPress Plugin Grants Access to Google Search Console

The plugin, Site Kit by Google, was designed to provide site admins with information on how people find and use their websites, providing insights from critical Google tools, straight to the WordPress dashboard. The plugin has over 400,000 active installations.

Access to UK Supercomputer Suspended Following Cyberattack

On May 11, 2020, the team behind ARCHER disabled access to the service due to a “security exploitation” on its login nodes. The team announced that jobs already running or queued would continue to run, although login has been disabled and no other jobs could be added.

Critical Flaws Found in Cyberoam Security Devices

Critical flaws have been discovered in a cybersecurity company’s next-generation firewall and VPN technology. Researchers at vpnMentor detected two vulnerabilities in cybersecurity devices developed by Cyberoam Technologies. Founded in 1999, Ahmedabad-based company Cyberoam was bought by British security software and hardware company Sophos Group plc in 2014.

Palo Alto Networks Patches Many Vulnerabilities in PAN-OS

One of the most serious of the flaws is CVE-2020-2018, which has a CVSS score of 9, and which allows an attacker with access to the Panorama management system’s interface to gain privileged access to managed firewalls. This authentication bypass issue affects the Panorama context switching feature, and the vendor says exploitation “requires some knowledge of managed firewalls.”