APT Botnet Breach Bug Cryptojacking Data leak Emotet Hacking Malware Ransomware RAT Scam Trojan Vulnerability Zero-day

Hackers steal 738 GB of Service NSW customer data, Netwalker demands $4M after attacking Argentinian govt., and more

Major cybersecurity events on 8th September 2020 (Morning Post): Chinese hacker group Winnti attacks five Russian developers of banking software and a construction company. Columbia University academics detect crypto bugs in 306 popular Android apps, unpatched.

Round Up of Major Breaches and Scams

Hackers stole 738 GB of data from Australian government agency

Nearly 47 Service NSW staff email accounts were hacked after a ‘criminal attack’ in April, affecting the data of 186,000 customers. Service NSW revealed that a cyber-attack led to the compromise of 47 staff email accounts. Resultantly, hackers stole personal details of about 186,000 customers, which amounts to 738GB of data comprising of 3.8million documents. The findings result from a four-month-long investigation that the NSW government services’ one-stop-shop initiated in April.

Chinese hackers targeted about five Russian developers of banking software

Chinese hacker group Winnti attacked at least five Russian developers of banking software, as well as a construction company. According to Positive Technologies, the names of banks and developers are not disclosed. Positive Technologies noted that the implantation of special malicious code by hackers at the development stage potentially allows them to get access to Bank data. After the code is implemented onto the infected machine, a full-fledged backdoor is loaded to investigate the network and steal the necessary data.

Round Up of Major Malware and Ransomware Incidents

France warns of Emotet attacking companies, administration

The French national cyber-security agency today published an alert warning of a surge in Emotet attacks targeting the private sector and public administration entities throughout the country. French public administration has three sub-sectors: central public administrations (APUC), local government (LUFA), and social security administrations (ASSO). Emotet, originally a run-of-the-mill banking Trojan first spotted in 2014, is now a malware botnet used by a threat group tracked as TA542 and Mummy Spider.

Evilnum Cyberspies Update Arsenal in Recent Attacks

The threat group tracked as Evilnum was observed using updated tactics and tools in recent attacks, Cybereason’s Nocturnus research team reported last week. Initially detailed in 2018, Evilnum appears to have been active for nearly a decade, offering ‘mercenary’ hack-for-hire services, a recent report from Kaspersky revealed. Focused on espionage, Evilnum recently switched from delivering ZIP archives containing multiple LNK files (via spear-phishing) to including a single LNK in the archive, which masquerades as a PDF, Cybereason reveals. Once executed, the shortcut writes to disk a JavaScript that replaces the LNK with the actual PDF.

Netwalker ransomware hits Argentinian government, demands $4 million

Argentina’s official immigration agency, Dirección Nacional de Migraciones, suffered a Netwalker ransomware attack that temporarily halted border crossing into and out of the country. While ransomware attacks against cities and local agencies have become all too common, this may be a first known attack against a federal agency that has interrupted a country’s operations. According to a criminal complaint published by Argentina’s cybercrime agency, the government first learned of the ransomware attack after receiving numerous tech support calls from checkpoints at approximately 7 AM on August 27th.

Round Up of Major Vulnerabilities and Patches

Academics find crypto bugs in 306 popular Android apps, none get patched

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they’re using cryptographic code in an unsafe way. Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019. Researchers say the tool, which checked for 26 basic cryptography rules (see table below), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

Windows 10 Sandbox activation enables zero-day vulnerability

A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system. Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled. Reverse engineer Jonas Lykkegaard posted last week a tweet showing how an unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software.

Windows 10 themes can be abused to steal Windows passwords

Specially crafted Windows 10 themes and theme packs can be used in ‘Pass-the-Hash’ attacks to steal Windows account credentials from unsuspecting users. Windows allows users to create custom themes that contain customized colors, sounds, mouse cursors, and the wallpaper that the operating system will use. Windows users can then switch between different themes as desired to change the appearance of the operating system.

Zero-Day Vulnerability in WordPress Plugin Affects 700,000 Users

Millions of WordPress sites are at cyber risk after researchers discovered a zero-day vulnerability in WordPress’s File Manager plugin. The threat intelligence team from cybersecurity firm Wordfence stated that the File Manager plugin has over 700,000 active installations, which could allow threat actors to execute commands and upload malicious files on a target site. File Manager is a plugin intended to help WordPress admins manage files on their websites. However, the researchers stated that a patch has been released to fix the vulnerability and asked users to update to the latest version 6.9 immediately.