APT Breach CVE Cyber Security Malware Phishing Spyware Vulnerability

Twitter bug caches private files, Facebook takes down fake accounts, Mandrake targets Aussies, MakeFrame targets SMBs, and more

Major cybersecurity events on 2nd April 2020: COVID-themed scams surge. Zoom’s popularity adversely impacts the remote conferencing giant through various malicious schemes. Facebook disables Instagram, Facebook impersonators’ accounts. New class of Windows vulnerabilities discovered.

Round Up of Major Breaches and Scams

Vollgar campaign targets MS-SQL servers with backdoors, crypto-miners

Dubbed Vollgar, the campaign managed to infect roughly three thousand database machines daily, with victims in sectors such as healthcare, aviation, IT and telecommunications, and higher education. Over the past two years, the attacks remained consistently thorough, well-planned and noisy. Attacks originated from more than 120 IP addresses, most of them in China.

Coronavirus: Hackers are now launching dozens of email scams each day

Those emails include business email compromise scams, phishing, malware, and spam email campaigns. At the end of last week, Proofpoint said it had seen over 500,000 messages, 300,000 malicious URLs, 200,000 malicious attachments with coronavirus themes across more than 140 campaigns, with numbers continuing to increase.

Cyber criminals are trying to exploit Zoom’s popularity to promote their phishing scams

According to data from BrandShield, the number of domains containing the word ‘Zoom’ hugely increased during March. As many as 2,200 new ‘Zoom’ domains were registered in March alone, taking the total to over 3,300. Researchers note that almost a third of these new websites are attached to an email server, which points towards the possibility that they’re being used in phishing attacks to harvest login credentials from unwary users.

Office 365 phishing uses CSS tricks to bypass email gateways

The phishing emails delivered by the operators behind this series of attacks use the old trick of reversing some of the text elements in the source code and rendering forward within the email displayed to the target, with a twist: this time it involves using Cascading Style Sheets (CSS). 

A French page impersonating Politico was nabbed in Facebook’s latest takedown

Facebook says it removed more than 300 accounts, pages and groups last month after catching operators misrepresenting themselves in a number of ways. The social media company on Thursday announced it removed 180 Facebook accounts, 170 Instagram accounts, 160 groups and one page for violating company policies around coordinated inauthentic behaviour.

Round Up of Major Malware and Ransomware Incidents

Bitdefender reveals Mandrake spyware targeting Aussie Android users

The Bitdefender cybersecurity investigative team has uncovered a new Android spying operation specifically targeting Australian users. The company found “Mandrake” earlier this year and believe the highly sophisticated spying platform has been active for at least four years. Bitdefender said it has seen a rapid spread of attacks in Australia over the last two years, due in large part to Australia’s high mobile banking usage, which sees the country targeted by more banking trojans than any other developed country in the world.

Coronavirus malware makes devices unusable by overwriting MBR

A newly discovered piece of malware is taking advantage of the current COVID-19 pandemic to render computers unusable by overwriting the MBR (master boot record). Cybercriminals were quick to exploit the coronavirus crisis for their malicious attacks, including phishing, malware infections, and the likes, and it did not take long for state-sponsored threat actors to join the fray.

Emerging MakeFrame skimmer from Magecart sets sights on SMBs

Researchers have observed a new skimmer from the prolific Magecart Group that has been actively harvesting payment-card data from 19 different victim websites, mainly belonging to small- and medium-sized businesses (SMBs), for several months.

New Coronavirus-themed malware locks you out of Windows

With school closed due to the Coronavirus pandemic, some kids are creating malware to keep themselves occupied. Such is the case with a variety of new MBRLocker variants being released, including one with a Coronavirus theme. MBRLockers are programs that replace the ‘master boot record’ of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead.

Round Up of Major Vulnerabilities and Patches

Zoom vulnerabilities expose users to spying, other attacks

Security researchers discovered recently that the Zoom video conferencing app is affected by vulnerabilities that can be exploited to spy on users, escalate privileges on the system, and capture Windows credentials. The company says it’s working on patching these flaws. Several experts have shown how a UNC path injection issue can be exploited by hackers to steal a user’s credentials.

44M digital wallet items exposed in Key Ring cloud misconfig

Key Ring, creator of a digital wallet app used by 14 million people across North America, has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers say. The Key Ring app allows users to upload scans and photos of various physical cards into a digital folder on a user’s phone. While Key Ring is primarily designed for storing membership cards for loyalty programs, users also store more sensitive cards on the app.

Firefox, IE vulnerabilities exploited in attacks on China, Japan

Vulnerabilities patched earlier this year in Firefox and Internet Explorer have been exploited by an advanced persistent threat (APT) actor in attacks aimed at China and Japan. The Firefox vulnerability is CVE-2019-17026, which Mozilla patched in early January, and the Internet Explorer flaw is CVE-2020-0674, which Microsoft patched in February with its monthly security updates. Both vulnerabilities were exploited in attacks before patches were released.

Twitter discloses bug that cached private files sent or received via DMs

Social networking giant Twitter disclosed today a bug on its platform that impacted users who accessed their platform using Firefox browsers. According to Twitter, its platform stored private files inside the Firefox browser’s cache — a folder where websites store information and files temporarily.

WordPress plugin bug can be exploited to create rogue admins

Owners of WordPress sites who use the Contact Form 7 Datepicker plugin are urged to remove or deactivate it to prevent attackers from creating rogue admins or taking over admin sessions after exploiting an authenticated stored cross-site scripting (XSS) vulnerability.

Researcher finds new class of Windows vulnerabilities

A security researcher has discovered over 25 different potential vulnerabilities in Windows, including some that could lead to elevation of privileges. The bugs impact the user interface win32 kernel (win32k) component that has been in the operating system for decades, and affect all versions of Windows, including Windows 10, because Microsoft keeps code backwards compatible.

Google squashes high-severity flaws in Chrome browser

On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Patches for all the bugs Google disclosed in its security advisory roll out over the next few days. Overall, eight security bugs were addressed in Chrome browser version 80.0.3987.162 for Windows, Mac, and Linux.