Categories
APT BEC Botnet Breach Bug CVE Cyber Security Data leak DDoS Emotet Hacking Malware Ransomware RAT RCE Scam Trojan Vulnerability

GitLab patches Elasticsearch data leak bug, Canada bombarded with COVID-themed cyber attacks, and more

Major cybersecurity events on 7th October 2020 (Morning Post): Chowbus delivery service breached, hacker emails data to users. Ransomware attack on health tech firm disrupted COVID-19 medical trials. PoetRAT malware targets public and private sector in Azerbaijan.

Round Up of Major Breaches and Scams

Cloudfare will now send you DDoS attack alert when your website is under attack

A DDoS that is distributed denial of service attack is when a perpetrator makes a network unavailable by flooding it with more requests than the network can handle or by disconnecting the host from the Internet. This leads to the website and server to go offline or suffer an outage. Protection from DDoS has been one of Cloudfare’s most demanded service but unless the administration was working on the site they would not know of an attack. With this new feature, they can get notifications when there’s an attack even when they are not actively on the site.

GitLab patches Elasticsearch private group data leak bug

A bug bounty researcher has been awarded $3000 for disclosing a security issue in GitLab leading to the exposure of private groups. The report was made public on the HackerOne bug bounty platform on October 6. Submitted by researcher Riccardo “rpadovani” Padovani on November 29, 2019, the GitLab issue is described as a failure to remove code from Elasticsearch API search results when transferring a public group to a private group.

Spies hacked Azerbaijan government officials as Nagorno-Karabakh conflict escalated

More than 200 people have died in clashes between ethnic Armenian separatists and Azerbaijani government forces over the breakaway region of Nagorno-Karabakh in the last 10 days. It’s the worst outbreak of violence related to Nagorno-Karabakh since Armenia and Azerbaijan, two former Soviet republics, fought a war over the enclave in the 1990s. And this time, hacking has come with the fighting.

Canada Bombarded with COVID-19-Themed Cyber-attacks

More than a quarter of Canadian IT workers say their organization has suffered a COVID-19-themed cyber-attack, according to a new survey. The “2020 Cybersecurity Report” released today by the Canadian Internet Registration Authority (CIRA) surveyed more than 500 Canadian IT security decision-makers to learn more about their experience with cyber-threats.

Chowbus delivery service breached, hacker emails data to users

A threat actor has hacked into the Chowbus food delivery service and emailed links to the stolen data to all customers. Chowbus is a mobile-based Asian food delivery service that allows customers to order food from local restaurants in cities around the USA, Australia, and Canada. At 1:33 a.m. yesterday, Chowbus customers began receiving mysterious emails titled “Chowbus data,” which simply stated, “Download Chowbus data here.” Included in the email were download links to both a user and restaurant database used by the food delivery service.

Round Up of Major Malware and Ransomware Incidents

New HEH botnet can wipe routers and IoT devices

A newly discovered botnet contains code that can wipe all data from infected systems, such as routers, servers, and Internet of Things (IoT) devices. Named HEH, the botnet spreads by launching brute-force attacks against any internet-connected system that has its SSH ports (23 and 2323) exposed online. Named HEH, the botnet spreads by launching brute-force attacks against any internet-connected system that has its SSH ports (23 and 2323) exposed online. If the device uses default or easy-to-guess SSH credentials, the botnet gains access to the system, where it immediately downloads one of seven binaries that install the HEH malware.

Ransomware attack on health tech firm disrupted COVID-19 medical trials

Philadelphia-based health tech eResearchTechnology (ERT) firm suffered a ransomware attack but no patients were affected. A couple of weeks ago it was reported that a ransomware attack on a German hospital named University Hospital Düsseldorf (UKD) led to the death of a patient. Now, Philadelphia-based health technology firm eResearchTechnology (ERT) has revealed that it was targeted with a ransomware attack.

CISA alert warns of Emotet attacks on US govt entities

The CISA agency is warning of a surge in Emotet attacks targeting multiple state and local governments in the US since August. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August. During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

Release the Kraken: Fileless APT attack abuses Windows Error Reporting service

We discovered a new attack that injected its payload—dubbed “Kraken—into the Windows Error Reporting (WER) service as a defense evasion mechanism. This blog post was authored by Hossein Jazi and Jérôme Segura. On September 17th, we discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.

PoetRAT: Malware targeting public and private sector in Azerbaijan evolves

Cisco Talos discovered PoetRAT earlier this year. We have continued to monitor this actor and their behavior over the preceding months. We have observed multiple new campaigns indicating a change in the actor’s capabilities and showing their maturity toward better operational security. We assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers.

Attacker builds malware variant with leaked Mirai source code

The source code of Mirai was leaked in September 2016, on the hacking community Hackforums. Just like the legitimate software world where plenty of code is available as open-source for developers to build upon, this is a harsh reality in the cybercrime world as well. In light of this, recently, a threat actor going by the online handle of named “Priority” has been found using the infamous Mirai malware source code to launch their own version of the malware by researchers at Juniper Threat Labs.

Round Up of Major Vulnerabilities and Patches

Zerologon Vulnerability Used in APT Attacks

MERCURY, the Iranian advanced persistent threat group, is using Zerologon in a new series of attacks detected by Microsoft. Zerologon, a vulnerability Dark Reading reported on in September, is back, this time in the hands of an Iranian advanced persistent threat group known as MERCURY. In a tweet, Microsoft Security Intelligence said that it has observed MERCURY using CVE-2020-1472 (Zerologon) in active campaigns during the most recent two weeks.

Google Brings Password Protection to iOS, Android in Chrome 86

Chrome 86 will alert users when stored passwords are compromised, and block or warn of insecure downloads, among other security updates. Google today published several security protections arriving in Chrome 86. Updates include new password defenses on Android and iOS, Safe Browsing for Android, improvements for touch-to-fill passwords on iOS, and alerts for users before they submit nonsecure forms.

New Research Finds Bugs in Every Anti-Malware Product Tested

Products from every vendor had issues that allowed attackers to elevate privileges on a system — if they already were on it. A majority of security tools that organizations use to defend against malware attacks are themselves vulnerable to exploits that allow attackers to escalate privileges on a compromised system, a new CyberArk study has found.

Mozilla shares fix for Twitter not working on Firefox

Mozilla published a support document with a quick fix for a widely reported known issue causing Twitter not to load on the Firefox web browser. According to a bug Mozilla has been tracking and working on fixing for the last 20 days, some users might see blank pages or errors when trying to visit the social network’s website, with some reports also saying that the issue also affects mobile users. On devices where Firefox fails to load Twitter’s website, users would see “The site at https://twitter.com/ has experienced a network protocol violation that cannot be repaired” error.

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process.

Using a WordPress flaw to leverage Zerologon vulnerability and attack companies’ Domain Controllers

Using a WordPress flaw (File-Manager plugin–CVE-2020-25213) to leverage Zerologon (CVE-2020-1472) and attack companies’ Domain Controllers. Recently, a critical vulnerability called Zerologon – CVE-2020-1472 – has become a trending subject around the globe. This vulnerability would allow a malicious agent with a foothold on your internal network to essentially become Domain Admin with just one click. This scenario is possible when communication with the Domain Controller can be performed from the attacker’s viewpoint.