Round Up of Major Breaches and Scams
In today’s deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. They prey on the anxiety generated by the massive spread of the virus and launch on infected devices a page claiming to show the location infected people nearby for a small fee. The purpose is to make victims provide payment card data in the hope of learning how close they are to infected individuals.
The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.
Round Up of Major Malware and Ransomware Incidents
Fifty-six apps in Google’s Play store included malicious software that leveraged victims’ devices to click on mobile advertisements, artificially inflating the traffic to those ads and helping scammers make money. Research published Tuesday by the security firm Check Point Technologies details how fraudsters used the network of apps, which were downloaded more than 1 million times, to exploit users’ trust and make a buck.
Astaroth, a group that uses legitimate Windows tools to spread malware, has retooled after Microsoft drew attention to its living-off-the-land techniques last July. The group in February stepped up its activity with even stealthier methods. Microsoft’s investigation found a major spam operation spreading email with a link to a website hosting a .LNK shortcut file. If a recipient downloaded and ran the file, it would launch WMIC and several other Windows tools to download and run fileless malware in memory, below the view of traditional antivirus.
A mysterious set of hackers last year began a targeted campaign to breach industrial organizations in the Middle East, antivirus firm Kaspersky said Tuesday. Attackers have sought to breach engineers, particularly in a single, unnamed Middle Eastern country, adding to a long history of cyber operations in the region. They’re relying on a strain of malicious software that’s tailored for espionage.
Malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the new threat Milum and dubbed the operation WildPressure. Several samples of Milum were discovered in the wild at the end of last summer, with the first ones believed to have been created in March 2019.
Researchers from Malwarebytes spotted a scam that uses a fake website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best protection.” Once the application installed into the computer then it gets infected with malware “BlackNET RAT” and turns your computer as BlackNET botnet.
The operators of the TrickBot banking malware have developed an Android app that can bypass some of the two-factor authentication (2FA) solutions employed by banks. This Android app, named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications. TrickMo collects and then sends the codes to the TrickBot gang’s backend servers, allowing the crooks to bypass logins or authorize fraudulent transactions.
Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. Ever since Maze created their “news” site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow.
Round Up of Major Vulnerabilities and Patches
According to Adobe, Jiadong Lu of the South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security discovered that the Windows version of the Creative Cloud desktop application is affected by a time-of-check time-of-use (TOCTOU) race condition that can be exploited to delete arbitrary files in the context of the targeted user.
WebARX discovered that wp_ajax actions in the plugin were missing proper authorization checks and nonce checks, which could lead to Cross-Site Request Forgery (CSRF) attacks. The wp_ajax_wpvivid_add_remote action was impacted the most. According to WebARX, the weakness can be abused by any user, regardless of their role, “to add a new storage location and set it as the default backup location.”
By sending phishing messages that routed recipients from a Health and Human Services website to a malicious one, scammers tried compromising people with malware known for capturing credit card data and email credentials. The activity coincided with a surge in attention toward the department, as Americans seek guidance amid the COVID-19 outbreak.
VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. However, one of the researchers who found it says the patch is “still bad.”
A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.
Researchers warn Microsoft 365 account holders to pay attention to unknown applications that request permissions. Microsoft Azure applications could be weaponized to break into Microsoft 365 accounts, report researchers who are investigating new attack vectors as businesses transition to cloud environments.
Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied. The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running.