Categories
Breach CVE DDoS Malware Phishing Ransomware Vulnerability

Mespinoza/Pysa ransomware, HawkEye, RedLine Malware

Major cybersecurity events on 19th March 2020: Sodinokibi ransomware data leaks sold on hacker forums. DDoS attacks target Takeaway food delivery service. Phishing campaign sends out emails posing as WHO Chief to spread HawkEye malware. Folding@home phishing spreads RedLine.

Round Up of Major Breaches and Scams

Food delivery service in Germany under DDoS attack

Cybercriminals found in the context of a public health crisis that caused unprecedented restrictions affecting the restaurant industry a perfect opportunity to launch an attack on the systems of Takeaway food delivery service in Germany. Cybercriminals have launched a distributed denial-of-service attack on the website demanding  2 bitcoins (around $11,000) to stop the siege.

Rogers data breach exposed customer info in unsecured database

Canadian ISP Rogers Communications has begun to notify customers of a data breach that exposed their personal information due to an unsecured database. In a data breach notification posted to their site, Rogers states that they learned on February 26th, 2020 that a vendor database containing customer information was unsecured and publicly exposed to the Internet.

Round Up of Major Malware and Ransomware Incidents

France warns of new ransomware gang targeting local governments

France’s cyber-security agency issued an alert this week warning about a new ransomware gang that’s been recently seen targeting the networks of local government authorities. The alert, issued by France’s CERT team, points to a rising number of attacks carried out with a new version of the Mespinoza ransomware strain, also known as the Pysa ransomware.

WHO Chief impersonated in phishing to deliver HawkEye malware

An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims. This spam campaign started today according to researchers at IBM X-Force Threat Intelligence who spotted it and it has already delivered several waves of spam emails attempting to pass as being delivered by WHO.

Sodinokibi ransomware data leaks now sold on hacker forums

Ransomware victims who do not pay a ransom and have their stolen files leaked are now facing a bigger nightmare as other hackers and criminals sell and distribute the released files on hacker forums. In 2019, the Maze Ransomware operators began stealing data from victims before encrypting devices and using the stolen files as leverage to get the victims to pay. If the victim decided not to pay, the Maze operators would then publish the files. Since then, other ransomware operators such as Sodinokibi, DoppelPaymer, and Nemty have begun the same practice of using stolen files as leverage.

RedLine info-stealing malware spread by Folding@home phishing

A new phishing email is trying to take advantage of the Coronavirus pandemic and the race to develop medications by promoting a fake Folding@home app that installs an information-stealing malware. Folding@home is a well-known distributed computing project that allows users to download software that uses CPU and GPU cycles to research new drug opportunities against diseases and a greater understanding of various diseases.

TA505 targets HR departments poisoned CVs

A newly discovered attack campaign by the notoriously prolific TA505 cybercrime organization now is targeting businesses in Germany via their human resources executives. The attackers use malicious PowerShell scripts that steal login credentials from browsers and Outlook and grab payment card data. In one wave of attacks, the TA505 used GPG to encrypt the victim’s files and hold them for ransom.

Round Up of Major Vulnerabilities and Patches

This cryptocurrency miner uses unique, stealthy tactics to hide from prying eyes

Researchers have uncovered new obfuscation techniques they have described as “unique” in an active cryptocurrency mining botnet. On Thursday, cybersecurity firm ESET said the discovery was made through an examination of the Stantinko botnet, which has been active since at least 2012.

Patch for recently disclosed VMware Fusion vulnerability incomplete

VMware informed customers on March 17 that Fusion, Remote Console (VMRC) and Horizon Client for Mac are affected by a high-severity privilege escalation vulnerability caused by the improper use of setuid binaries. The company released updates that should have patched the vulnerability, which is tracked as CVE-2020-3950. However, the patch by VMware have been found to be incomplete.

APT28 has been scanning vulnerable email servers for more than a year

For the past year, one of Russia’s top state-sponsored hacking units has spent its time scanning and probing the internet for vulnerable email servers. The group, believed to be operating on behalf of the Russian military intelligence service GRU, has been active since 2004 and is one of the two Russian groups that have breached the DNC’s email server in 2016.

Drupal updates CKEditor to patch XSS vulnerabilities

The developers of the Drupal content management system (CMS) announced on Wednesday that updates for versions 8.8.x and 8.7.x address a couple of vulnerabilities affecting the CKEditor library. Users have been advised to update Drupal to versions 8.8.4 or 8.7.12. Alternatively, potential attacks can be prevented by disabling the CKEditor module.

Here’s the Netflix account compromise Bugcrowd doesn’t want you to know about

A Netflix security weakness that allows unauthorized access to user accounts over local networks is out of the scope of the company’s bug bounty program, the researcher who reported the threat said. The researcher’s proof-of-concept exploit uses a classic man-in-the-middle attack to steal a Netflix session cookie. These browser cookies are the equivalent of a wristband that music venues use so paying customers aren’t charged an entrance fee a second time. Possession of a valid session cookie is all that’s required to access a target’s Netflix account.

Google patches high-risk Chrome flaws, halts upcoming releases

Google this week rolled out an update to address multiple high-severity vulnerabilities in Chrome and also announced that it is pausing upcoming releases of the browser. The pause, the Internet giant says, was caused by an adjusted work schedule due to the current COVID-19 (coronavirus) epidemic, and affects both Chrome and Chrome OS releases.

Critical RCE bug in Windows 7 and Server 2008 gets micropatch

A micropatch fixing a remote code execution (RCE) vulnerability in the Windows Graphics Device Interface (GDI+) is now available through the 0patch platform for Windows 7 and Server 2008 R2 users. The patch is available for 0Patch users with PRO accounts with fully updated Windows 7 or Server 2008 R2 devices who haven’t yet enrolled in Microsoft’s Extended Security Updates (ESU) service. At the moment, only organizations with volume-licensing agreements or small-and-midsize businesses can get an ESU license until January 2023.