Round Up of Major Breaches and Scams
Comcast mistakenly published the names, phone numbers, and addresses of nearly 200,000 customers who paid monthly fees to make their numbers unlisted. The names and numbers were made available on Ecolisting, a directory run by Comcast, and picked up by third-party directories. After discovering the mistake, Comcast shut Ecolisting down, gave $100 credits to affected customers, and advised them that they can change their phone numbers at no charge.
iOS and iPadOS apps have unrestricted access to the system-wide general pasteboard, also referred to as the clipboard. While this could be mundane data such as a shopping list, it could also include sensitive data such as passwords, telephone numbers, or financial details.
Round Up of Major Malware and Ransomware Incidents
Two previously undocumented pieces of malware, a downloader and a backdoor, were used in a watering hole operation attributed to the Russian-based threat group Turla. To reach targets of interest, the hackers compromised at least four websites, two of them belonging to the Armenian government. This indicates that the threat actor was after government officials and politicians.
Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016.
A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner. With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus ransomware and the Kpot information-stealing Trojan.
Also known as Waterbug, KRYPTON, Snake, and Venomous Bear, and active for more than a decade, Turla is known for the targeting of various diplomatic and military organizations, with a focus on NATO and Commonwealth of Independent States (CIS) nations. The group has an extensive portfolio of malicious tools, and is continuously expanding it to ensure efficiency of attacks. The most recent additions were discovered while analyzing a watering hole attack targeting high-profile Armenian websites.
Appropriately dubbed “Cookiethief” by the Kaspersky researchers who discovered it, the trojan has a straightforward goal: to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. Armed with the siphoned-off cookies, crooks can gain access to unique session IDs that can identify the user to webpages and services, allowing instant access without a password and login.
Researchers have discovered a new strain of ransomware, dubbed “PXJ,” which emerged in the wild in early 2020. While PXJ performs functions similar to other ransomware variants, it does not appear to share the same underlying code with most known ransomware families, researchers said. They first identified PXJ on Feb. 29, after discovering two samples that were uploaded to VirusTotal by a user from the community.
Round Up of Major Vulnerabilities and Patches
After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).
The security holes were discovered by cybersecurity consultancy SEC Consult and the vendor has released firmware updates that should patch the flaws. The vulnerabilities affect various Phoenix Contact TC ROUTER and TC CLOUD CLIENT devices.
Microsoft has patched a critical remote code execution vulnerability in its Server Message Block (SMBv3) protocol and is urging organizations to deploy updates for the flaw as soon as possible. CVE-2020-0796 exists in the way SMBv3 handles certain requests. An attacker who successfully exploits the flaw can gain complete control over a vulnerable system and execute arbitrary code within the context of the application.
Microsoft has discontinued this week its Remote Desktop Connection Manager (RDCMan) application following the discovery of a security flaw. As its name suggests, the app allows users to connect remotely to other Windows computers via RDP (Remote Desktop Protocol). The app, which was developed by the former Windows Live Experience team for their internal use, has been available for download from the Microsoft website since the late 2000s.