APT CVE DMA Ryuk TrickBot

CloudSEK Daily Threat Bulletin – 31st January 2020

In the last 24 hours, as the world still reels from the sale of 30 million cards on Joker’s Stash, the UN has confirmed that their servers were exploited because of a SharePoint flaw that was patched in March 2019. As testimony to the growing sophistication of hackers, a new attack strategy that uses HTML redirectors to automatically download malicious files is making the rounds. The fact that hackers are leveraging current events such as Trump’s impeachment, and the Coronavirus crisis, shows their capacity to adapt and improvise. 

The high severity vulnerability in WordPress plugin Code Snippers, that exposed 200,000 sites to take over attacks, has been patched.  Even as Dell and HP issued DMA vulnerability updates, researchers are concerned that a wide range of their systems can still be exploited.

Round Up of Major Cyber Security Breaches

UN confirms breach of 36 servers

UN has confirmed that hackers have breached dozens of their servers since July 2019. Though the UN staff was asked to change their passwords, they were not informed that their documents, emails, and databases were compromised. The affected systems include 36 servers at Geneva and at least four in Vienna. The breach is believed to be an exploit of a SharePoint flaw CVE-2019-0604 that was patched in March 2019, which the UN did not update its systems with.

New Evil Corp phishing campaign uses HTML redirectors

Evil Corp’s new campaign uses HTML redirectors attached to emails. When opened, the HTML will automatically start downloading Dudear, which is a malicious Excel file. Once the macro has been enabled in the excel file, the malware will install an information-stealing Trojan known as GraceWire.

Hackers use Facebook marketing partner to run scams

Being Facebook’s marketing partner, LiveRamp has privileged access to advertising accounts on Facebook. The hackers hijacked a LiveRamp employee’s credentials in October 2019, giving them access to the company’s systems and advertising options. The hackers used this access to run malware ads and trick customers into buying fake products.

Social media booster exposes Instagram credentials

Social Captain, a social media boosting service, has exposed thousands of Instagram passwords. The company, which helps users increase their follower counts, asks for Instagram usernames and passwords to sign up. The credentials were found to be stored in unencrypted plaintext and visible in the website source code.

Round Up of Major Malware and Ransomware Incidents

Impeachment coverage helps spread malware TrickBot

TrickBot developers are injecting text from articles about Trump impeachment into the malware. Content from sources such as the Independent and CNN, are blended with the malware, to make it FUD (Fully UnDetectable) by common anti-virus detection models.

Emotet is taking advantage of the Coronavirus scare

Emotet is being distributed in the guise of official Coronavirus notifications from public health departments. The email claims that its attachments purportedly contain preventive measures against the respiratory infection. The spam mail intends to trick receivers into opening the Word doc attachment. When they “Enable Content” of the doc, the malware is installed in their devices. After which, the malware payload has access to the device’s documents, browser history, and credentials.

US Government contractor targeted by Ryuk ransomware

Electronic Warfare Associates, a supplier of electronic equipment to the US government, was targeted by a Ryuk ransomware attack last week. Some of their web servers’ data were encrypted. The encrypted files and ransom notes are still cached in Google search results. Ryuk uses Emotet/TrickBot infected systems as an entry point to deploy their ransomware and exfiltrate data via a module called Ryuk Stealer.

US based Research company targeted by Iranian hackers

APT34 (aka OilRig or Helix Kitten), known for targeting government agencies, has targeted a US-based research company Westat. The breach was identified when a phishing Excel file, masquerading as an employee satisfaction survey, was discovered. When employees download the spreadsheet and enable macros, the malicious VBA code installs TONEDEAF malware in the device. The operation also employs the browser credential theft tool VALUEVAULT.

Round Up of Major Vulnerabilities and Patches

WordPress plugin vulnerability exposes 200,000 websites

High severity WordPress Plugin vulnerability CVE-2020-8417 exposed 200,000 websites, running an unpatched version of Code Snippers plugin, to takeover attacks. Within 2 days of reporting, the cross-site request forgery (CSRF) bug, was patched in version 2.14.0, released on 25th January 2020. The flaw would have allowed attackers to forge an administrator and remotely execute code on the sites, to exfiltrate sensitive data and infect the site users.

Cisco has released updates to address Small Business Switches DoS Vulnerability

Cisco has patched high severity vulnerabilities, CVE-2019-15993 and CVE-2020-3147, in the web UI of Cisco Small Business Switches. The vulnerability was due to the improper validation of requests sent to the web interface. This could be exploited by sending malicious requests to unexpectedly cause a system to reload a device, resulting in a denial-of-service (DoS) condition.

Dell and HP issue DMA vulnerability updates, but attacks still possible

High severity vulnerabilities in Dell and HP laptops could have given attackers the opportunity for arbitrary code execution, DoS, and information disclosure. Though the companies have issued BIOS updates, there is still concern that DMA attacks are still possible, against a range of their laptops and desktops.


Leave a Reply

Your email address will not be published. Required fields are marked *