Cyber Security News for 14May2020

security cybersecurity itsecurity privacy risk compliance bec contacttracing redcanary prolock ransomware qakbot trojan doppelpaymer bitpaymer dridex emotet patching mirai hoaxcalls breach archer supercomputer darkweb
  1. “After modifying the exploit’s configuration file, we tested the setup locally with 2 Windows machines, to check that everything still works. The original exploit (using \) was successfully blocked by Microsoft’s patch, resulting in explorer.exe getting stuck. Just out of curiosity, we also tested the modified exploit (using /) and surprisingly enough, the exploit worked. The simple replacement of \ to / in our malicious RDP server was enough to bypass Microsoft’s patch!” https://research.checkpoint.com/2020/reverse-rdp-the-path-not-taken/
  2. “It is the potential for disruption that is bringing Business Continuity Planning (BCP) to the forefront of many IT conversations. What’s more, many IT professionals are quickly coming to the conclusion that persistent WAN and Internet connectivity prove to be the foundation of an effective business continuity plan.” https://thehackernews.com/2020/05/rethink-wan-connectivity.html
  3. “Fraudsters running business email compromise scams were able to swindle Norfund, Norway’s state investment fund, out of $10 million. The attackers took their time before pulling the trigger and took action to ensure that the theft would be discovered long after they got the money.” https://www.bleepingcomputer.com/news/security/scammers-steal-10-million-from-norways-state-investment-fund/
  4. “Facebook has awarded a security researcher $20,000 for discovering a cross-site scripting (XSS) vulnerability in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method. Exploitation could allow threat actors to hijack accounts.” https://threatpost.com/login-facebook-bug-20k-bounty/155732/
  5. “Business email compromise (BEC) attacks continue to be a thorn in companies’ sides, with the FBI in its IC3 annual cybercrime report saying that the attacks cost victims $1.7 billion in 2019.  Making matters worse, BEC cybergangs are turning to new tactics and tricks to avoid detection and capitalize on existing victims. For instance, a cybercriminal gang that researchers call “Exaggerated Lion” has been making use of G Suite and extremely long domain names to swindle millions of dollars out of its victims.” https://threatpost.com/bec-gang-exploits-g-suite-long-domain-names-in-cyberattacks/155718/
  6. “Jess told Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down.  She’s feeling pretty queasy about that Subway visit now, after the guy who took her order used Jess’s contact information to repeatedly, persistently hit her up” https://nakedsecurity.sophos.com/2020/05/14/woman-stalked-by-sandwich-server-via-her-covid-19-contact-tracing-info/
  7. “Whether an organization is just starting to build its security capabilities or looking to bolster existing controls, there is much that can be achieved. By combining automation with security intelligence, and applying that to existing infrastructure, an organization can greatly improve their security posture.” https://www.recordedfuture.com/automated-threat-detection/
  8. “The state of Utah has settled on a contact-tracing mobile app that collects detailed user location information to track the spread of COVID-19 among citizens – eschewing the API model proposed by Apple and Google in April.  The app is called “Healthy Together” and it was created by a startup called Twenty Holdings – best-known for making a social app that allows users to “See who’s around. See who’s down. Hang out.” In other words, the company specializes in enabling physical, in-person connections” https://threatpost.com/utah-apple-google-covid-19-tracing-startup-app/155742/
  9. “The trend in endpoint security over the last few years has been the consolidation of capabilities back into a single agent with a cloud-based backend. VMware Carbon Black Cloud (formally known as CB Defense) provides next generation antivirus, endpoint detection and response (EDR), and remediation tools with only one agent to deploy to endpoints. Up until now, Red Canary focused just on the detection and response side of the house, taking EDR telemetry and doing the broadest possible detection. We are now expanding our scope to include the full VMware Carbon Black Cloud product set.” https://redcanary.com/blog/cloud-endpoint-standard/
  10. “Similar to how Ryuk works with TrickBot and DoppelPaymer/BitPaymer work with Dridex for access to networks, ProLock is working with QakBot to gain access.  QakBot is a banking trojan that spreads via phishing campaigns that deliver malicious Microsoft Word documents, usually to businesses. Emotet botnet was seen distributing this malware.” https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/
  11. “Security researchers Alex Ionescu and Yarden Shafir of technical seminar company Winsider have just published a very lengthy blog post in which they present this bug with the catchy name of PrintDemon.  For those not familiar with Unix, that’s a pun on the word daemon, pronounced “demon” and essentially the same word in a more Greek-like spelling, which is the Linux and Unix equivalent of a Windows service” https://nakedsecurity.sophos.com/2020/05/14/printdemon-patch-this-ancient-windows-printer-bug/
  12. “The first instance of this vulnerability being exploited surfaced on April 24th, 2020 as part of an evolution of the Hoaxcalls botnet that was first discovered earlier that same month. This latest version of Hoaxcalls supports additional commands that allow an attacker greater control on the infected devices, such as the possibility to proxy traffic through them, downloading updates, maintaining persistence across device restarts, or preventing reboots, and a larger number of DDoS attacks that can be launched. The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public.” https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/
  13. “The Google Chrome web browser will start unloading ad iframes using too many system resources without the user’s knowledge starting with the stable release coming near the end of August.  Chrome will target ads that drain device resources like battery, network data, and CPU processing power, such as those designed to mine for cryptocurrency known as being resource hogs that will drain battery life and network bandwidth.” https://www.bleepingcomputer.com/news/google/google-chrome-will-block-resource-heavy-ads-starting-august/
  14. “A threat actor is selling twenty-nine databases on a hacker forum that allegedly contains a combined total of 550 million stolen user records. The actor began selling these databases on May 7th, when they posted them on a well-known hacker where threat actors can buy each one individually.” https://www.bleepingcomputer.com/news/security/hacker-selling-550-million-stolen-user-records-on-hacking-forum/
  15. “Microsoft says that attackers have already adapted their phishing campaigns to use the newly updated design for Azure AD and Microsoft 365 sign-in pages. “Office 365 ATP data shows that attackers have started to spoof the new Azure AD sign-in page in multiple phishing campaigns,” Microsoft tweeted earlier. “We have so far seen several dozens of phishing sites used in these campaigns.” The new Azure AD sign-in experience design for Microsoft customers was updated roughly three months ago, at the end of February, and has started rolling out during the first week of April.” https://www.bleepingcomputer.com/news/security/new-microsoft-365-sign-in-pages-already-spoofed-for-phishing/
  16. “The ARCHER computing service, which scientists use to model climate change, coronavirus, and other societal challenges, likely won’t be available until at least next week as U.K. government cyber officials continue to help the system recover. ARCHER —  a set of powerful hardware and simulation software housed at the University of Edinburgh — recently made available to its users a tool for simulating the extent of the COVID-19 outbreak.” https://www.cyberscoop.com/archer-supercomputer-security-incident/
  17. “It costs only $4 to buy a social security number (SSN) on the dark web, according to a new report that compiles the results of a two-year investigation by Atlas VPN, a leading virtual network provider.” https://medium.com/swlh/heres-how-much-your-social-security-number-costs-on-the-darkweb-593f7886c617