Round Up of Major Breaches and Scams
One of the most recent coronavirus hoaxes to come to light is an Android app available at coronavirusapp[.]site. It claims to provide access to a map that provides real-time virus-tracking and information, including heatmap visuals and statistics. In fact, a researcher from DomainTools said, the app is laced with ransomware.
An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill — while reaping high rates of success in luring victims, according to an independent researcher.
Cybersecurity firm Check Point Research uncovered the digital trail of a Nigerian cybercriminal, who went by the name of “Dton” and targeted hundreds of thousands of people under the moniker of “Bill Henry” by sending them malicious emails with custom-built malware. The company said it disclosed the findings to concerned Nigerian and international law enforcement authorities for further action.
Online guitar tutoring website TrueFire has apparently suffered a ‘Magecart’ style data breach incident that may have potentially led to the exposure of its customers’ personal information and payment card information.
Round Up of Major Malware and Ransomware Incidents
Researchers discovered a new ransomware strain dubbed Pxj that encrypts users’ files appends “.pxj” extension to the encrypted files. The distribution method of the ransomware strain remains unknown, but mostly through emails, once it gets into the user system it checks with Recycle Bin and empties it. It also destroys the files from shadow copies, disables Windows Error Recovery service and then executes series of commands to destroy the user’s ability to recovering the data after encryption.
This software attempts to evade blocking by endpoint protection systems with anti-debugging code, strings and API encryption, runtime decompression and virtual machine detection. Its developers went as far as to embed a full backdoor-like component into the installer that allows remote injection of new code into the installer – granting it capabilities that extend far beyond what one might expect from a piece of installation software.
A Pakistani-linked threat actor, APT36, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT. The functionalities of the Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines.
A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data. Nefilim became active at the end of February 2020 and while it is not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.
Round Up of Major Vulnerabilities and Patches
An open database is the source of a data leak leading to the exposure of 425GB in sensitive documents belonging to financial companies. Due to a failure to implement basic security protocols, the database permitted unfettered access to anyone with an Internet connection and the S3 bucket’s address.
VMware today released security updates to address high severity privilege escalation and denial-of-service (DoS) in the VMware Workstation, Fusion, VMware Remote Console and Horizon Client. The two security flaws currently tracked as CVE-2020-3950 and CVE-2020-3951 are due to the improper use of setuid binaries and a heap-overflow issue in Cortado Thinprint.
Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week. The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild). According to the alert, the two zero-days impact the company’s Apex One and OfficeScan XG enterprise security products. Trend Micro did not release any details about the attacks.
Adobe has released security updates for Adobe Acrobat and Adobe Reader that fix numerous vulnerabilities ranging from information disclosure to arbitrary code execution. Today, Adobe has released security updates that fix 13 vulnerabilities, with 4 rated as ‘Important’ as they lead to information disclosure or privilege escalation. The other 9 are rated as ‘Critical’ because they could allow an attacker to create malicious PDFs or other malicious actions that could exploit these vulnerabilities to execute commands on the affected computer.