Emotet Malware Phishing Rougeware

CloudSEK Daily Threat Bulletin – 5th February 2020

From charity organizations to government entities, just in the last few days, we have seen the impact of attacks on, 12 Indian government entities, the city of Racine, a voter registration website, and the Red Kite Community Housing charity. With Emotet finding a new carrier in W-9 tax forms, it is more obvious than ever that, the evolving nature of these attacks, makes it more difficult to anticipate and mitigate.

When it comes to vulnerabilities, there have been updates to fix bugs in WhatsApp, WordPress plugin Tutor LMS, ‘Sudo’ utility, Mini-SNMDP, and Google Takeout.

With threat actors becoming more sophisticated, Microsoft, Twitter, and Google are working on proactive measures and new features that will make them less vulnerable to attacks.

Round Up of Major Cyber Security Breaches and Scams

3000 email IDs, from 12 government entitles, leaked on the Dark Web

3,202 leaked email IDs belonging to 12 Indian government entities, have surfaced on the dark web. Of which, 365 IDs belong to the Indira Gandhi Centre for Atomic Research (IGCAR), 325 IDs belong to the Bhabha Atomic Research Centre (BARC), and 157 IDs belong to Securities and Exchange Board of India (SEBI). It is believed that the IDs and passwords were collected through a targeted phishing campaign.

FBI says, voter registration and information site, target of a DDoS attack

In a Private Industry Notification (PIN), the US Federal Bureau of Investigation (FBI) warned of a Distributed Denial of Service (DDoS) attack that targeted a state-level voter registration and information site. This was identified after, anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack, targeted a voter information and registration website. With short periods of time when the volume of DNS requests increased tenfold.

Phishing scam swindled > $1 Million from Red Kite Community Housing

Britain-based Red Kite Community Housing charity has admitted that a cyber-attack in August 2019, resulted in the loss of more than $1 million. They also admitted that a payment verification process that was intended to prevent fraudulent transactions, proved ineffective when the error it flagged was not actioned. Scammers spoofed the domain of a genuine contractor and sent emails to Red Kite in order to swindle Red Kite.

Mayor has announced that the city of Racine will not pay ransom

In response to the ransomware attack that infected computer systems in Racine, the mayor has announced that the ransom demands will not be met. Since the attack, the city’s website, email, voicemail, and payment systems have been offline. The attack has affected over 700 employees of the Wisconsin city.

New Office 365 features will block malicious content, irrespective of custom configurations

Microsoft announced that it is currently working on features that can block malicious content on Office 365, irrespective of the custom configurations set up by administrators or users unless manually overridden. This change comes in response to the fact that some settings allow Office 365 Exchange Online Protection/Advanced Threat Protection detonation verdicts to be bypassed and inadvertently permit malicious content.

Twitter to start labelling manipulated media from 5th March 2020

Twitter has announced that it will be taking measures to curb harmful synthetic or manipulated media that is spread via the platform. From 5th March 2020, Twitter will start labelling tweets, to help people understand the authenticity context of the tweets containing synthetic or manipulated content.

Round Up of Major Malware and Ransomware Incidents

Malicious Chinese company apps still available on Google Play

A Chinese company: Shenzhen HAWK Internet Co. Ltd, is believed to have developed 24 popular apps, some of which contain malware and rougeware. The apps, which have a combined 382 million installations, has participated in unethical practices such as harvesting user data and subscribing users to premium phone numbers. The apps could launch hidden browser windows and click on ads on certain websites. The apps also asked for a large number of dangerous permissions that included the ability to make calls, take pictures, record video, and record audio. All the affected apps are still available on Google Play.

New DoppelPaymer ransomware sells your captive data

New DoppelPaymer ransomware has found channels to sell the captive data, in addition to encrypting it, if victims don’t pay up. Having the capability to turn a ransomware attack to a full-blow data breach gives it the upper hand when it comes to collecting the ransom. Jumping on the bandwagon, REvil and Nemty families of ransomware are also resorting to this tactic.

Emotet campaign masquerades as W-9 tax forms during tax season

Not ones to miss an opportunity, a new Emotet trojan, intends to leverage the tax season with a spam campaign pretending to be a requested signed W-9 tax form. The spam email contains “Please see attached” and a fake W-9.doc attachment.
On opening the attachment, the victim is instructed to ‘Enable Content’ in the malicious Word document template. After which, malicious macros launch a PowerShell command to execute the Emotet trojan on the victim’s system.

Round Up of Major Vulnerabilities and Patches

Google releases Chrome 80 with 56 security fixes and other features

Yesterday, Google released Chrome 80 for Windows, macOS, Linux, Chrome OS, iOS, and Android, with bug fixes, new features, and 56 security fixes. The new features include auto-upgraded mixed content, text URL fragments, and SVG favicons. A highlight of Google Chrome 80 is the secure-by-default cookie classification system designed to treat cookies without a SameSite value SameSite=Lax cookies.

High severity WhatsApp vulnerability, that allows access to users’ local file system, has been fixed

CVE-2019-18426, an 8.2 high severity vulnerability in WhatsApp, has been patched. The vulnerability could have been exploited to read files from a user’s local file system, on macOS and Windows systems. This flaw affects WhatsApp Desktop versions before v0.3.9309, when paired with WhatsApp for iPhone versions prior to 2.20.10. A remote attacker could exploit the flaw by tricking the victim to click a link preview from a text message.

Google flaw mistakenly included your videos in unrelated users’ downloads

Google is sending email notifications to users, informing them that a bug caused videos stored in their Google Photos account to be mistakenly included in other users’ data when it is downloaded via Google Takeout. This privacy lapse has affected content and data that has been uploaded to Google Photos, YouTube, Chrome, and many other services. Google has recommended that users who have received other users’ videos, when they downloaded their content via Google Takeout, should delete it.

CSRF flaw patched in new version of WordPress plugin Tutor LMS

WordPress plugin Tutor LMS, which allows users to create and sell courses, makes users vulnerable to CSRF (Cross-Site Request Forgery) attack. The vulnerability allows a hacker to cause unintended action on a site trusted by the victim and is authenticated at the time of the attack. Tutor LMS has released version 1.5.3 that fixes the vulnerability.

3 Mini-SNMDP vulnerabilities patched in new version

Three vulnerabilities in Mini-SNMPD, including two out-of-bounds read bugs, and one stack overflow, have been discovered. The first 2 flaws CVE-2020-6058 and CVE-2020-6059, could be exploited to obtain sensitive information or cause a DoS condition. The third bug (CVE-2020-6060), could be exploited to initiate a specially timed sequence of SNMP connections to the vulnerable server. The vulnerabilities, which are found version 1.4 of Mini-SNMPD, have been patched in version 1.5.

Sudo flaw allows non-privileged Linux and macOS users to run commands as Root

CVE-2019-18634, is a vulnerability in ‘sudo‘utility that allows non-privileged Linux and macOS users to run commands as Root.
But it can be exploited only when the “pwfeedback” option is enabled in the sudoers configuration file. The vulnerability allows an attacker to execute commands as root on a targeted Linux system, even if the “sudoers configuration” does not allow the root access.

Leave a Reply

Your email address will not be published. Required fields are marked *