Breach CVE Cyber Security Malware Ransomware Snooping Trojan Vulnerability

CloudSEK Daily Threat Bulletin – 12th March 2020

Round Up of Major Breaches and Scams

Comcast accidentally published 200,000 “unlisted” phone numbers

Comcast mistakenly published the names, phone numbers, and addresses of nearly 200,000 customers who paid monthly fees to make their numbers unlisted. The names and numbers were made available on Ecolisting, a directory run by Comcast, and picked up by third-party directories. After discovering the mistake, Comcast shut Ecolisting down, gave $100 credits to affected customers, and advised them that they can change their phone numbers at no charge.

Card data from Volusion web skimmer incident surfaces on the dark web

Card data stolen last year from Volusion-hosted online stores has surfaced on the dark web, Gemini Advisory, a threat intel firm specialized in fraud detection, reported today. The stolen card data relates to a security breach reported in October 2019. Hackers breached one of the company’s servers and placed malicious JavaScript code that was eventually loaded on some of the company’s customer stores.

Popular iPhone and iPad apps are snooping on data copied to the clipboard

iOS and iPadOS apps have unrestricted access to the system-wide general pasteboard, also referred to as the clipboard. While this could be mundane data such as a shopping list, it could also include sensitive data such as passwords, telephone numbers, or financial details.

Round Up of Major Malware and Ransomware Incidents

Advanced Russian hackers use new malware in watering hole operation

Two previously undocumented pieces of malware, a downloader and a backdoor, were used in a watering hole operation attributed to the Russian-based threat group Turla. To reach targets of interest, the hackers compromised at least four websites, two of them belonging to the Armenian government. This indicates that the threat actor was after government officials and politicians.

Vicious Panda: The Covid campaign

Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016.

New CoronaVirus ransomware acts as a cover for Kpot Infostealer

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner. With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus ransomware and the Kpot information-stealing Trojan.

Russia-linked Turla cyberspies add more malware to arsenal

Also known as Waterbug, KRYPTON, Snake, and Venomous Bear, and active for more than a decade, Turla is known for the targeting of various diplomatic and military organizations, with a focus on NATO and Commonwealth of Independent States (CIS) nations. The group has an extensive portfolio of malicious tools, and is continuously expanding it to ensure efficiency of attacks. The most recent additions were discovered while analyzing a watering hole attack targeting high-profile Armenian websites.

Trojan raids Android users’ cookie jars

Appropriately dubbed “Cookiethief” by the Kaspersky researchers who discovered it, the trojan has a straightforward goal: to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. Armed with the siphoned-off cookies, crooks can gain access to unique session IDs that can identify the user to webpages and services, allowing instant access without a password and login.

Researchers warn of novel PXJ ransomware strain

Researchers have discovered a new strain of ransomware, dubbed “PXJ,” which emerged in the wild in early 2020. While PXJ performs functions similar to other ransomware variants, it does not appear to share the same underlying code with most known ransomware families, researchers said. They first identified PXJ on Feb. 29, after discovering two samples that were uploaded to VirusTotal by a user from the community.

Round Up of Major Vulnerabilities and Patches

48K Windows hosts vulnerable to SMBGhost CVE-2020-0796 RCE attacks

After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).

Several vulnerabilities expose Phoenix Contact industrial 4G routers to attacks

The security holes were discovered by cybersecurity consultancy SEC Consult and the vendor has released firmware updates that should patch the flaws. The vulnerabilities affect various Phoenix Contact TC ROUTER and TC CLOUD CLIENT devices.

Microsoft patches leaked remote code execution flaw

Microsoft has patched a critical remote code execution vulnerability in its Server Message Block (SMBv3) protocol and is urging organizations to deploy updates for the flaw as soon as possible. CVE-2020-0796 exists in the way SMBv3 handles certain requests. An attacker who successfully exploits the flaw can gain complete control over a vulnerable system and execute arbitrary code within the context of the application.

Microsoft discontinues RDCMan app following security bug

Microsoft has discontinued this week its Remote Desktop Connection Manager (RDCMan) application following the discovery of a security flaw. As its name suggests, the app allows users to connect remotely to other Windows computers via RDP (Remote Desktop Protocol). The app, which was developed by the former Windows Live Experience team for their internal use, has been available for download from the Microsoft website since the late 2000s.