THE SNUGBUS Archive

Some Techie Security news

Title: Sodinokibi Ransomware Data Leaks Now Sold on Hacker Forums
Date Published: March 19th, 2020

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-data-leaks-now-sold-on-hacker-forums/

Excerpt: “Ransomware victims who do not pay a ransom and have their stolen files leaked are now facing a bigger nightmare as other hackers and criminals sell and distribute the released files on hacker forums. In 2019, the Maze Ransomware operators began stealing data from victims before encrypting devices and using the stolen files as leverage to get the victims to pay. If the victim decided not to pay, the Maze operators would then publish the files, Since then, other ransomware operators such as Sodinokibi, DoppelPaymer, and Nemty have begun the same practice of using stolen files as leverage."

Title: WHO Chief Impersonated in Phishing to Deliver HawkEye Malware
Date Published: March 19th, 2020

https://www.bleepingcomputer.com/news/security/who-chief-impersonated-in-phishing-to-deliver-hawkeye-malware/

Excerpt: “An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims. This spam campaign started today according to researchers at IBM X-Force Threat Intelligence who spotted it and it has already delivered several waves of spam emails attempting to pass as being delivered by WHO. "HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors," IBM X-Force's research team previously said.”

Title: Cyber Crooks Continue to Exploit COVID-19 for Their Malicious Schemes
Date Published: March 20th, 2020

https://www.helpnetsecurity.com/2020/03/20/exploit-covid-19/

Excerpt: “A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks. We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily. “BEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the attacker’s end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the attacker will send their true ask. (I need you to buy gift cards, wire transfer funds, etc.),” the researchers explained. “These coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the recipient. In the body of this message, the actor attempts to eliminate the possibility of voice-verification, in hopes of ensuring a higher success rate, by saying their phone is ‘faulty at the moment.””

Title: Experts Found a New TrickBot Module (rdpScanDll) Built for RDP Bruteforcing Operations
Date Published: March 19th, 2020

https://securityaffairs.co/wordpress/100019/malware/trickbot-variant-rdp.html

Excerpt: “Security experts from Bitdefender recently discovered a new TrickBot variant that is targeting telecommunications organizations in the United States and Hong Kong. TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing. This new variant includes a module dubbed rdpScanDll to launch remote desktop protocol (RDP) brute-force attacks against a list of victims. “The new module was discovered on January 30, and its main functionality is to perform bruteforce operations on a list of targets. The modus operandi is similar to that of other plugins.” reads the report published by Bitdefender. “The TrickBot executable will download the plugin and its configuration file (from one of the available online C&Cs) containing a list of servers with whom the plugin will communicate to retrieve commands to be executed. TrickBot will load the plugin, executing the “start” and “control” exported functions, passing the configuration file as an argument for the last mention function.” The module appears to be under development, but experts pointed out that threat actors already used it to target organizations, mostly in telecoms, education, and financial services sectors. The module implements three attack modes, named check, trybrute and brute.”

Title: Drupal Addresses Two XSS Flaws by Updating the CKEditor
Date Published: March 20th, 2020

https://securityaffairs.co/wordpress/100040/security/drupal-xss-flaws-ckeditor.html

Excerpt: “The Drupal development team has released security updates for versions 8.8.x and 8.7.x that address two XSS vulnerabilities that affect the CKEditor library. CKEditor is the far superior successor of FCKeditor, it is a popular, highly configurable open-source WYSIWYG editor. Drupal uses CKEditor, it has updated to version 4.14, which addressed two cross-site scripting (XSS) vulnerabilities. “The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.” reads the advisory published by Drupal. “Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.” Both issues have been rated as a moderately critical severity, they received a risk score of 13/25. The latest versions of Drupal, versions 8.8.4 or 8.7.12, include CKEditor version 4.14 that fix both issues.”

Title: Russia-linked APT28 Has Been Scanning Vulnerable Email Servers in the Last Year
Date Published: March 20th, 2020

https://securityaffairs.co/wordpress/100072/apt/apt28-vulnerable-email-servers.html

Excerpt: “According to security researchers from Trend Micro, the Russia-linked APT28 cyberespionage group has been scanning vulnerable email servers for more than a year. The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election. Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks, the recent mass scanning activity represents a change in the modus operandi of the group. The nation-state hackers are scanning the entire internet, in search of vulnerable webmail and Microsoft Exchange Autodiscover servers that expose TCP ports 445 and 1433. “This report aims to shed light on some of Pawn Storm’s attacks that did not use malware in the initial stages. It presents new data on the group’s credential phishing, direct probing of webmail and Microsoft Exchange Autodiscover servers, and large-scale scanning activities to search for vulnerable servers.” reads the report published by Trend Micro. The cyberespionage group continues to target members of defense companies, embassies, governments, and the military.”

Title: This New Variant of Mirai Botnet Malware is Targeting Network-attached Storage Devices
Date Published: March 20th, 2020

https://www.zdnet.com/article/this-new-variant-of-mirai-botnet-malware-is-targeting-network-attached-storage-devices/

Excerpt: “A new variant of Mirai malware is targeting a recently uncovered critical vulnerability in network-attached storage devices and exploiting them to rope the machines into an Internet of Things botnet. Dubbed Mukashi, the malware uses brute force attacks using different combinations of default credentials in an effort to log into Zyxel network-attached storage products, take control of them and add them to a network of devices that can be used to conduct Distributed Denial of Service (DDoS) attacks. Mukashi takes advantage of a vulnerability (CVE-2020-9054) in Zyxel NAS devices running firmware version 5.21 that allows remote attackers to execute code – and according to researchers at Palo Alto Networks, cyber criminals are actively attempting to exploit the attack in the wild. The malware has been scanning TCP ports for potential targets since at least March 12, launching brute force attacks in an effort to bypass common username and password combinations as it goes. Once the login has been bypassed, Mukashi connects with a command and control server that can issue orders to conduct DDoS attacks."

Title: Location-tracking Wristbands Required on All Incoming Travelers to Hong Kong
Date Published: March 20th, 2020

https://nakedsecurity.sophos.com/2020/03/20/location-tracking-wristbands-required-on-all-incoming-travelers-to-hong-kong/

Excerpt: “Welcome to Hong Kong, traveler, and to the mandatory, Disney MagicBand-esque tracking wristband we’re about to slap onto your potentially infectious arm. The city-state had already been requiring arrivals from mainland China to self-isolate at home for 14 days. But as the area undergoes a COVID-19 resurgence, mostly brought in by travelers coming from European, US and Asian countries, it’s now enforcing the quarantine on all incoming travelers, with the wristbands helping to ensure that they adhere to movement restrictions. The government announced on Monday that starting at midnight on Thursday (19 March), it was planning to put all arriving passengers under a two-week quarantine and medical surveillance. On Wednesday evening, Government Chief Information Officer Victor Lam told reporters at the airport that the Privacy Commissioner for Personal Data had been consulted about the technology and had assured everybody that it won’t threaten people’s privacy.”

Title: Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
Date Published: March 20th, 2020

https://www.darkreading.com/vulnerabilities---threats/attack-surface-vulnerabilities-increase-as-orgs-respond-to-covid-19-crisis/d/d-id/1337369

Excerpt: “The speed at which organizations are being forced to respond to the unfolding COVID-19 health crisis could be leaving many of them vulnerable to attack by threat actors rushing to exploit the situation. Over the past few weeks security vendors and researchers have reported an increasing number of malicious activities tied to COVID-19 that they say are elevating risks for organizations across sectors, especially healthcare and law enforcement. Predictably, a lot of the activity has involved phishing and social-engineering campaigns where COVID-19 has been used as a thematic lure to get people to click on malicious attachments and links in emails or to download malware on mobile and other devices. There have also been reports about account takeover and business email compromise activity, a growth in domains serving up drive-by malware, and attempts to exploit virtual private networks (VPNs) and other remote access tools. The danger posed by these threats has been exacerbated by new requirements for "social distancing" and the resulting push by many organizations to widen or implement telework capabilities for their workforce. The sudden COVID-19-related surge in the use of videoconferencing, remote access, and VPN services — especially at organizations that have not used them before — is giving attackers more targets to go after and defenders a lot more terrain to protect.”

Title: Security Flaws Found in Popular Password Managers
Date Published: March 19th, 2020

https://www.welivesecurity.com/2020/03/19/security-flaws-found-in-popular-password-managers/

Excerpt: “Several popular password managers contain security vulnerabilities that could be exploited to breach the walls that are supposed to keep your passwords safe, according to researchers from the University of York. After considering a pool of 19 password managers, the academics chose to test LastPass, Dashlane, Keeper, 1Password, and RoboForm based on their popularity and features. They uncovered a total of four new vulnerabilities, including a flaw both in the 1Password and LastPass Android applications that made them susceptible to phishing attacks. The vulnerability is caused by their use of weak matching criteria for identifying which of the stored credentials should be suggested for autofill. “Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” said Dr. Siamak Shahandashti from the Department of Computer Science at the University of York. He went on to add that, in order to remedy the situation, the password vaults should add stricter matching criteria that aren’t based just on “an app’s purported package name”. The researchers also discovered that the Android applications of both RoboForm and Dashlane are susceptible to PIN brute force attacks. This flaw allows endless attempts at entering the master PIN that may ultimately unlock the password vaults.”

Messages In This Thread