APT Botnet Breach CVE Cyber Security Emotet Hacking Malspam Malvertise Malware QakBot Ransomware TrickBot Vulnerability

University of York staff, student records stolen, Dutch law enforcement eavesdrops on EncroChat, and more

Major cybersecurity events on 23rd July 2020 (Morning Post): Lazarus APT group creates an advanced, cross-platform malware framework to launch attacks on Windows, MacOS, Linux systems. Misconfigured AWS S3 buckets allow attackers to compromise Twilio’s TaskRouter SDK.

Round Up of Major Breaches and Scams

University of York discloses data breach, staff and student records stolen

The University of York has disclosed a data breach caused by a cyberattack experienced by a third-party service provider. Personal information belonging to “alumni, staff and students, and extended networks and supporters” is thought to have been stolen during the incident, although the number of individuals potentially impacted has not been disclosed — nor how many years back the stolen records relate to.

Round Up of Major Malware and Ransomware Incidents

EncroChat system eavesdropped on by law enforcement

Dutch law enforcement cracked the encryption on EncroChat, a secure messaging platform popular with criminals, and made hundreds of arrests. But is this a dangerous precedent? Due to the level of sophistication of the attack, and the malware code, we can no longer guarantee the security of your device. This text caused a lot of aggravation, worries, and sleepless nights. No one wants to hear the security of their device has been compromised by a malware attack.

Emotet botnet is now heavily spreading QakBot malware

Researchers tracking Emotet botnet noticed that the malware started to push QakBot banking trojan at an unusually high rate, replacing the longtime TrickBot payload. Last week, Emotet came back to life after a break of more than five months. Starting yesterday, the malspam operation briefly began installing TrickBot on compromised Windows systems again. Researchers noticed that Emotet was dropping QakBot.

Twilio exposes SDK, attackers inject it with malvertising code

Twilio today disclosed that its TaskRouter JS SDK was compromised by attackers after they gained access to one of its misconfigured Amazon AWS S3 buckets which left the SDK’s path publicly readable and writable for roughly five years, since 2015. Twilio is a cloud communications platform as a service (CPaaS) company that powers communications for over 40,000 businesses and helps developers add voice, video, messaging, and authentication capabilities to their apps using Twilio’s web service APIs.

North Korea’s Lazarus Group Developing Cross-Platform Malware Framework

The APT group, known for its attack on Sony Pictures in 2014, has created an “advanced malware framework” that can launch and manage attacks against systems running Windows, MacOS, and Linux. The Lazarus Group, an advanced persistent threat (APT) group linked to North Korea, has developed an “advance malware framework” that has been used to launch and manage attacks against Windows, MacOS, and Linux systems in at least a dozen organizations.

Round Up of Major Vulnerabilities and Patches

D-Link blunder: Firmware encryption key exposed in unencrypted image

Security researchers have demonstrated a method to decrypt proprietary firmware images embedded in D-Link routers. Firmware is the piece of code that powers low-level functions on hardware devices. It is typically hard-coded within the read-only memory. Companies encrypt firmware images in their devices to prevent their reverse engineering by competitors and threat actors, and to prevent their customers from flashing the device with customized firmware.

Vulnerability Allows Remote Hacking of Devices Running Citrix Workspace App

Citrix informed customers this week that it has patched a vulnerability in its Workspace app that can allow an attacker to remotely hack the computer running the affected application. The security hole, tracked as CVE-2020-8207 and classified as high severity, affects the automatic update service used by the Citrix Workspace app for Windows, and it can be exploited by a local attacker to escalate privileges or by a remote attacker for arbitrary command execution.