APT Breach Malware Ransomware RAT RCE TrickBot Vulnerability

Stealthier Astaroth, TrickMo bypasses 2FA, Espionage targets WHO, and more

Major cybersecurity events on 24th March 2020: A new, stealthier Astaroth strikes Windows 10. COVID-19 cyberattacks against WHO spikes. 56 Google Play Store apps infected with malicious software. Kaspersky detects new APT campaign. TrickBot malware operators release TickMo to bypass 2FA. Azure applications can be weaponized against Microsoft365.

Round Up of Major Breaches and Scams

Ginp mobile banker targets Spain with “Coronavirus Finder” lure

In today’s deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. They prey on the anxiety generated by the massive spread of the virus and launch on infected devices a page claiming to show the location infected people nearby for a small fee. The purpose is to make victims provide payment card data in the hope of learning how close they are to infected individuals.

WHO targeted in espionage attempt, COVID-19 cyberattacks spike

The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.

Round Up of Major Malware and Ransomware Incidents

Scammers tried using kids apps in the Google Play store to generate cash

Fifty-six apps in Google’s Play store included malicious software that leveraged victims’ devices to click on mobile advertisements, artificially inflating the traffic to those ads and helping scammers make money. Research published Tuesday by the security firm Check Point Technologies details how fraudsters used the network of apps, which were downloaded more than 1 million times, to exploit users’ trust and make a buck.

Microsoft’s Windows 10 warning: Astaroth malware is back. This time it’s even stealthier

Astaroth, a group that uses legitimate Windows tools to spread malware, has retooled after Microsoft drew attention to its living-off-the-land techniques last July. The group in February stepped up its activity with even stealthier methods. Microsoft’s investigation found a major spam operation spreading email with a link to a website hosting a .LNK shortcut file. If a recipient downloaded and ran the file, it would launch WMIC and several other Windows tools to download and run fileless malware in memory, below the view of traditional antivirus.

Kaspersky finds a new APT campaign targeting engineers in the Middle East

A mysterious set of hackers last year began a targeted campaign to breach industrial organizations in the Middle East, antivirus firm Kaspersky said Tuesday. Attackers have sought to breach engineers, particularly in a single, unnamed Middle Eastern country, adding to a long history of cyber operations in the region. They’re relying on a strain of malicious software that’s tailored for espionage.

Unknown hackers use new Milum RAT in WildPressure campaign

Malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the new threat Milum and dubbed the operation WildPressure. Several samples of Milum were discovered in the wild at the end of last summer, with the first ones believed to have been created in March 2019.

Hackers use fake Corona antivirus to distribute BlackNET remote malware

Researchers from Malwarebytes spotted a scam that uses a fake website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best protection.” Once the application installed into the computer then it gets infected with malware “BlackNET RAT” and turns your computer as BlackNET botnet.

TrickBot now pushes Android app for bypassing 2FA on banking accounts

The operators of the TrickBot banking malware have developed an Android app that can bypass some of the two-factor authentication (2FA) solutions employed by banks. This Android app, named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications. TrickMo collects and then sends the codes to the TrickBot gang’s backend servers, allowing the crooks to bypass logins or authorize fraudulent transactions.

Three more ransomware families create sites to leak stolen data

Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. Ever since Maze created their “news” site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow.

Round Up of Major Vulnerabilities and Patches

Critical flaw in Adobe Creative Cloud app allows hackers to delete files

According to Adobe, Jiadong Lu of the South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security discovered that the Windows version of the Creative Cloud desktop application is affected by a time-of-check time-of-use (TOCTOU) race condition that can be exploited to delete arbitrary files in the context of the targeted user.

WPvivid backup plugin flaw leads to WordPress database leak

WebARX discovered that wp_ajax actions in the plugin were missing proper authorization checks and nonce checks, which could lead to Cross-Site Request Forgery (CSRF) attacks. The wp_ajax_wpvivid_add_remote action was impacted the most. According to WebARX, the weakness can be abused by any user, regardless of their role, “to add a new storage location and set it as the default backup location.”

Security pros help HHS fix a website flaw that exposed visitors to malware

By sending phishing messages that routed recipients from a Health and Human Services website to a malicious one, scammers tried compromising people with malware known for capturing credit card data and email credentials. The activity coincided with a surge in attention toward the department, as Americans seek guidance amid the COVID-19 outbreak.

VMware again fails to patch privilege escalation vulnerability in Fusion

VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. However, one of the researchers who found it says the patch is “still bad.”

Critical RCE bug affects millions of OpenWrt-based network devices

A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.

How attackers could use Azure apps to sneak into Microsoft 365

Researchers warn Microsoft 365 account holders to pay attention to unknown applications that request permissions. Microsoft Azure applications could be weaponized to break into Microsoft 365 accounts, report researchers who are investigating new attack vectors as businesses transition to cloud environments.

Tor Browser 9.0.7 patches bug that could deanonymize users

The Tor Project released Tor Browser 9.0.7 today with a permanent fix for a bug that allowed JavaScript code to run on the Safest security level in some situations while using the previous Tor Browser version. Since Tor Browser users are relying on its security features to anonymously browse the Internet, having their identity exposed by a JavaScript that could be used for fingerprinting or unveiling their true location defeated the browser’s private browsing promise without tracking, surveillance, or censorship.

HPE warns of new bug that kills SSD drives after 40,000 hours

Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied. The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running.