Breach CVE Malware MiTM Phishing Ransomware Stalkerware Vulnerability

COVID-19 malware and phishing scams, fake Google domains, and more

Major cyber security incidents on 17th March 2020: Scammers use COVID-19 as a guise to spread malware and phishing mails. APT36 calls coronavirus a ‘golden opportunity’ to distribute Crimson RAT. MacOS bundleware installer capable of much more than a normal installation software.

Round Up of Major Breaches and Scams

The internet is drowning in COVID-19-related malware and phishing scams

One of the most recent coronavirus hoaxes to come to light is an Android app available at coronavirusapp[.]site. It claims to provide access to a map that provides real-time virus-tracking and information, including heatmap visuals and statistics. In fact, a researcher from DomainTools said, the app is laced with ransomware.

Convincing Google impersonation opens door to MiTM, phishing

An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill — while reaping high rates of success in luring victims, according to an independent researcher.

Researchers uncover a Nigerian hacker’s pursuit of his million dollar dream

Cybersecurity firm Check Point Research uncovered the digital trail of a Nigerian cybercriminal, who went by the name of “Dton” and targeted hundreds of thousands of people under the moniker of “Bill Henry” by sending them malicious emails with custom-built malware. The company said it disclosed the findings to concerned Nigerian and international law enforcement authorities for further action.

TrueFire guitar tutoring website suffers Magecart-style credit card breach

Online guitar tutoring website TrueFire has apparently suffered a ‘Magecart’ style data breach incident that may have potentially led to the exposure of its customers’ personal information and payment card information.

Round Up of Major Malware and Ransomware Incidents

New PXJ ransomware deletes backup copies and disables user ability to recover any file

Researchers discovered a new ransomware strain dubbed Pxj that encrypts users’ files appends “.pxj” extension to the encrypted files. The distribution method of the ransomware strain remains unknown, but mostly through emails, once it gets into the user system it checks with Recycle Bin and empties it. It also destroys the files from shadow copies, disables Windows Error Recovery service and then executes series of commands to destroy the user’s ability to recovering the data after encryption.

“Double agent”: a MacOS bundleware installer that acts like a spy

This software attempts to evade blocking by endpoint protection systems with anti-debugging code, strings and API encryption, runtime decompression and virtual machine detection. Its developers went as far as to embed a full backdoor-like component into the installer that allows remote injection of new code into the installer – granting it capabilities that extend far beyond what one might expect from a piece of installation software.

APT36 taps coronavirus as ‘golden opportunity to spread Crimson RAT

A Pakistani-linked threat actor, APT36, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT. The functionalities of the Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines.

New Nefilim ransomware threatens to release victim’s data

A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data. Nefilim became active at the end of February 2020 and while it is not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.

Round Up of Major Vulnerabilities and Patches

Financial companies leak 425GB in company, client data through open database

An open database is the source of a data leak leading to the exposure of 425GB in sensitive documents belonging to financial companies. Due to a failure to implement basic security protocols, the database permitted unfettered access to anyone with an Internet connection and the S3 bucket’s address.

VMware fixes high severity privilege escalation bug in Fusion

VMware today released security updates to address high severity privilege escalation and denial-of-service (DoS) in the VMware Workstation, Fusion, VMware Remote Console and Horizon Client. The two security flaws currently tracked as CVE-2020-3950 and CVE-2020-3951 are due to the improper use of setuid binaries and a heap-overflow issue in Cortado Thinprint.

Two Trend Micro zero-days exploited in the wild by hackers

Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week. The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild). According to the alert, the two zero-days impact the company’s Apex One and OfficeScan XG enterprise security products. Trend Micro did not release any details about the attacks.

Adobe fixes nine critical vulnerabilities in Reader, Acrobat

Adobe has released security updates for Adobe Acrobat and Adobe Reader that fix numerous vulnerabilities ranging from information disclosure to arbitrary code execution. Today, Adobe has released security updates that fix 13 vulnerabilities, with 4 rated as ‘Important’ as they lead to information disclosure or privilege escalation. The other 9 are rated as ‘Critical’ because they could allow an attacker to create malicious PDFs or other malicious actions that could exploit these vulnerabilities to execute commands on the affected computer.