CVE Malware Phishing Ransomware

CloudSEK Daily Threat Bulletin – 3rd February 2020

As Coronavirus spreads outside China, the Coronavirus phishing attacks also reach the US and UK. And who said hacking contests were for White Hats? XSS is conducting a contest that has prize money of $15,000. Ironically, the spam fighting organization, Spamhaus is now being used to orchestrate phishing scams. Scammers are also hijacking building door access systems to launch DDoS attacks. TVEyes, the latest victim of a ransomware attack, has refused to pay the ransom and intends on restoring from backups and rebuilding the affected infrastructure.

Round Up of Major Cyber Security Breaches

Coronavirus Phishing Attacks target US and UK

Phishing campaigns that are leveraging the coronavirus scare are now targeting the US and UK by masquerading as legitimate warning from healthcare organizations. The emails claim to provide information on new cases of the infection, and safety measures. By clicking a link embedded in the email, victims are redirected to a phishing page that steals user credentials.

Phishing campaign masquerades as Spamhaus warning

A new phishing campaign is spreading malware in the guise of a warning from Spamhaus Project. The warning claims that the receiver’s email ID has been added to the Spamhaus Block List (SBL) and will be blacklisted on all mail servers and redirects users to follow instructions in a particular URL. The Google Drive link and a password is provided to remove the email from the block list. The campaign itself is ironic because Spamhaus is notably an organization that creates spam block lists for mail servers to block spam emails. Clinking on the link downloads a file that contains a malicious Visual Basic Script (VBS).

Hacking contest on the Dark Web offers $15,000

Recent activity in the Dark Web shows that there are several high stakes hacking contests conducted by cyber criminals. An upcoming hacking contest, conducted by the underground forum XSS, is offering prize money of $15,000. And sophisticated group Sodinokibi (REvil) is sponsoring the event that will judge participants based on original articles containing proof of concept videos, or original code.

Browser locker campaign deactivated

A week after analysis of a browser locker (browlock) campaign that ran on pages, such as Microsoft Edge’s home, or popular tech sites, it was deactivated. The browlock redirects users to a different site that is difficult to close. When users visited an affected page, a warning message popped up, and delivered the WOOF locker through a malicious advertisement. By using a combination of targeted traffic filtering with steganography, the locker survived for 2 years, before it was finally figured out by researchers.

Hackers are hijacking smart building access systems to launch DDoS attacks

Hackers are exploiting CVE-2019-7256 to take over devices, download & install malware, and launch DDoS attacks, by hijacking smart door/ building access control systems. The attacks are targeted at Linear eMerge E3, a product of Nortek Security & Control (NSC), which provides credential-based access control for corporate headquarters, factories, and industrial parks.

Round Up of Major Malware and Ransomware Incidents

Advanced Obfuscation Marks Widespread Info-Stealing Campaign

A massive botnet campaign is spreading malicious rich text format (RTF) documents that are carriers of, information stealing malware, such as Agent Tesla or Lokibot that steal FTP credentials, stored email passwords, and browser history. On clicking the attachment, the user is repeatedly instructed to activate macros for an Excel file, which has a malicious VBA macro. By applying advanced obfuscation techniques to bypass AMSI-related detection. Once installed in a system, it will fetch payload from a remote host, which then downloads the last-stage malware.

Winnti Malware Campaign targeted universities in Hong Kong

2 Hong Kong universities’ systems were compromised in a Winnti Group malware campaign. This came to light in November 2019, after ShadowPad launcher malware samples were detected on several systems. The campaigns are believed to be targeted attacks on specific universities because the command and control URLs, as well as the campaign identifiers contained the names of the affected universities.

TV & radio news monitoring service TVEyes targets of ransomware attack

A ransomware attack has affected TVEyes’ core server and engineering workstations, primarily located in the US. The news monitoring service has confirmed that they don’t intend to pay the ransom and will restore from backups and rebuild the affected infrastructure. The TVEyes CEO says they don’t intend to pay the ransom demand and are currently restoring from backups and rebuilding impacted infrastructure.

Round Up of Major Vulnerabilities and Patches

Intel Microcode update for Intel CPU bugs

Microsoft has released a new Intel Microcode update for Windows 10 1909, 1903, and older versions. These optional updates contain fixes for hardware bugs in Intel CPUs. This fix uses a software patch to mitigate hardware-based security vulnerabilities and bugs.

Vulnerability in UnZip addressed by RedHat update

The vulnerability (CVE-2020-8516) allows a threat actor to create a zip file that, when processed by the victim’s system with the ‘-t’ command line option, triggers a buffer overflow and execute arbitrary code, to execute arbitrary code in a target’s system. RedHat released updated unzip packages that fix this issue in Red Hat Enterprise Linux 6 and 7.

Leave a Reply

Your email address will not be published. Required fields are marked *