Round Up of Major Breaches and Scams
On June 22, a message appeared on the Darknet about the sale of a database of clients of the largest Russian banks. The seller did not specify how many records he has on hand but assured that he is ready to upload 5 thousand lines of information per week.One of the Russian Newspapers had a screenshot of a test fragment of the Alfa-Bank database, which contains 64 lines. Each of them has the full name, city of residence, mobile phone number of the citizen, as well as the account balance and document renewal date.
Avon Products, Inc. is owned Brazil’s Natura & Co. which itself leaked over 192 million records in May 2020. The cyber security researchers at SafetyDetectives’ led by Anurag Sen have discovered a misconfigured cloud database containing data of popular cosmetics brand Avon. The unprotected server has leaked 19 million records so far, which includes personal data and technical logs. Avon is owned by the Brazil-based Natura & Co., which acquired its 78% stakes in January 2020.
Hackers use two stolen domains to steal credentials from Netflix users and then send them to the real Netflix site. Researchers recently discovered a Netflix phishing campaign where attackers fashioned two legitimate domains to appear like the actual Netflix site: The hackers sent victims a billing failure email with a link that would send the unknowing victim to the two spoofed sites in order to steal their credentials, and then to the legitimate Netflix site.
In a joint alert this week, the United States and the United Kingdom warned that a piece of malware has infected over 62,000 QNAP network-attached storage (NAS) devices. Dubbed QSnatch, the malware was first observed last year, and QNAP in November issued a security advisory to alert users of the risks associated with it and to provide recommendations on how they can remain protected. At the time, the company revealed that QSnatch was designed to harvest confidential information from the compromised devices, including login credentials and system configuration.
Round Up of Major Malware and Ransomware Incidents
The Nefilim ransomware operation has begun to publish unencrypted files stolen from a Dussmann Group subsidiary during a recent attack. The Dussmann Group is the largest multi-service provider in Germany with subsidiaries focusing on facility management, corporate childcare, nursing and care for the elderly, and business systems solutions, including HVAC, electrical work, and elevators. The company has confirmed one of their subsidiaries recently suffered a ransomware attack where data was stolen.
While Linux malware was once sitting on the fringes of the malware ecosystem, today, new Linux threats are being discovered on a weekly basis. The latest finding comes from Intezer Labs. In a report shared with ZDNet this week, the company analyzed Doki, a new backdoor trojan they spotted part of the arsenal of an old threat actor known for targeting web servers for crypto-mining purposes. The threat actor, known as Ngrok, has been active since at least late 2018.
Targeted ransomware attacks are on the rise, usually perpetrated by financially motivated threat gangs, which often work in concert together. However, researchers said that a recent strain of ransomware, called VHD, can be linked to an unusual source: The Lazarus Group APT. According to researchers from Kaspersky, the VHD ransomware has only been deployed in a handful of instances, with a limited number of samples showing up in the firm’s telemetry. There are also few public references.
The Emotet malware botnet is now also using stolen attachments to increase the authenticity of spam emails used for infecting targets’ systems. This is the first time the botnet is using stolen attachments to add credibility to emails as Binary Defense threat researcher James Quinn told BleepingComputer. The attachment stealer module code was added around June 13th according to Marcus ‘MalwareTech’ Hutchins.
Round Up of Major Vulnerabilities and Patches
Researchers have disclosed details of a recently patched, high-severity Dell PowerEdge server flaw, which if exploited could allow an attacker to fully take over and control server operations. The web vulnerability was found in the Dell EMC iDRAC remote access controller, technology embedded within the latest versions of Dell PowerEdge servers. While the vulnerability was fixed earlier in July, the researchers with Positive Technologies who discovered the flaw, published a detailed analysis, Tuesday.