Cyber Security News for 15Apr2020

  1. “Tech-savvy individuals and firms have been eager to apply their skills to the coronavirus pandemic, as they should be. Some of them are working with governments who have flexed their “special powers” and public health muscles, as governments should do.”
  2. “Researchers from ESET believe that the attacks against two San Francisco International Airport (SFO) websites were carried out by the Russian cyber-espionage group known as Energetic Bear (aka DragonFlyCrouching Yeti). The Energetic Bear APT group has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.”
  3. “Group-IB, a Singapore-based cybersecurity company, has found out that phishing kits are the new bestsellers of the underground market, with the number of phishing kit ads on underground forums and their sellers having doubled in 2019 compared to the previous year. The growing demand for phishing kits is also reflected in its price that skyrocketed last year by 149 percent and exceeded $300 per item. Last year, phishing kit creators’ favorite brands were Amazon, Google and Office 365. Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website. This toolset enables attackers with modest programming skills carry out massive malicious campaigns, which is the reason for why they represent a point of interest for cybersecurity researchers. The detection of a phishing kit not only helps to discover hundreds or even thousands of phishing pages, but can also serve as a starting point of an investigation to identify the toolkit’s creator and bring them to justice.”
  4. “Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified (find the list here) by researchers from MyCrypto and PhishFort.”
  5. “Don’t be lulled into the false sense of security by thinking your personal information is indeed private – you will be shocked to see how much about you is known to the outside world and too without your consent! Don’t believe it? Just go looking for yourself on Pipl, a well-known directory for searching people online and see for yourself what personal details about you are on there. There is a high chance that you will not only find your name, telephone number and address but also information on your social media presence and names of your family members (spouse, kids and parents).”
  6. “The Iranian propaganda group known as the International Union of Virtual Media, or IUVM, is behind a series of headlines and animated cartoons reporting, for instance, that COVID-19 is part of “a biological war led by Trump to strike at China’s economy,” according to a report published Wednesday by Graphika. Facebook and Twitter have removed IUVM-affiliated accounts dating back to 2018, though the latest effort again demonstrates how propagandists are using Western technology services to amplify disinformation.”
  7. “According to the Wall Street Journal (WSJ), officials revealed on April 13 that New York’s Office of Information Technology had discovered the security incident in late-January 2020. Its analysis unveiled that those individuals responsible for the attack had constructed tunnels into some of New York’s servers that the State used for relaying encrypted data. That information ranged from motor vehicle records to payroll information for the 250,000 employees employed in New York’s state agencies and public universities.”
  8. “Earlier this year, Rapid7’s offensive security team wrote about a closed beta program for AttackerKB, a new resource that highlights diverse perspectives on which vulnerabilities make the most appealing targets for attackers. Over the last few months, beta users have shared their personal experiences, in-depth technical analyses, expert opinions, and mitigation advice, with particular attention to the qualities that make emergent vulnerabilities high-value for attackers and high-impact for defenders.”
  9. “The Lampion malware is spread through emails containing a link that downloads a .zip file with malicious files in it. It’s a banking Trojan: criminals developed it to steal information related to banking portals from the victim’s devices or make fraudulent transactions. This form of malware is a big challenge from the banking security team’s point-of-view, as the accesses are performed through the victim’s device — a trusted device.”
  10. “Google has removed 49 new Chrome browser extensions from its official Web Store that contain the code to steal sensitive information and hijack cryptocurrency wallets. The Chrome browser extensions were discovered by researchers from MyCrypto and PhishFort that speculate the involvement of Russian hackers.”
  11. “Much has been publicized about the shortage of personal protective equipment (PPE) and other supplies for healthcare facilities in the United States during the COVID-19 pandemic. Now, the FBI is warning that threat actors are taking advantage of efforts to procure PPE and critical equipment such as ventilators with new business email compromise (BEC) and other scams aimed at defrauding those seeking the supplies.”
  12. “Recorded Future’s researchers have scoured thousands of code repositories, underground forum postings, and dark web sites to identify and rank the top 10 vulnerabilities that were actively exploited by threat actors last year. Their findings are outlined in our latest vulnerability report, “Criminal Underground Continues to Target Microsoft Products in Top 2019 Exploited Vulnerabilities List.””
  13. “Attacks against Windows kernel mode software drivers, especially those published by third parties, have been popular with many threat groups for a number of years. Popular and well-documented examples of these vulnerabilities are the CAPCOM.sys arbitrary function executionWin32k.sys local privilege escalation, and the EternalBlue pool corruption. Exploiting drivers offers interesting new perspectives not available to us in user mode, both through traditional exploit primitives and abusing legitimate driver functionalities.”
  14. “Tencent, a China-based global internet service provider, is opening up its existing bug-bounty program to HackerOne’s community of 600,000+ bug hunters, to widen the company’s vulnerability reporting and technical sharing efforts, it said in a launch notice on Tuesday. Tencent will also pay out its bounty payments via HackerOne’s platform from now on.”
  15. “The warning comes after the number of attempted phishing emails grew by 667% over the course of March, a month when state-linked hackers and criminals took advantage of the Covid-19 pandemic to fuel operations. Three main types of phishing themes have been detected in the spike:  54% have been scams, 34% were brand impersonation, and 11% blackmail.”
  16. “CMMC certification will be required for all contractors and subcontractors working with the U.S. Department of Defense. The goal is to enhance the protection of this information within the Department of Defense supply chain. While CMMC primarily leverages existing standards and regulations, such as FAR Clause 52.204-21 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, it also draws from other best practices.”
  17. “Researchers at email security firm Mimecast have uncovered a new flight refund scam that attempts to exploit the ongoing Coronavirus outbreak. The campaign is simple as effective, scammers attempt to target individuals that are waiting for refunds from airlines that deleted the flights due to Coronavirus shutdown. The malspam messages include a fake flight refund form and instruct targets to fill them providing their names and credit card details. Using this trick, cybercriminals could collect personal and financial information and use them to carry out a broad range of malicious activities. Data gathered with this fraud scheme could be also offered for sale on the Dark Web.
  18. “Microsoft says that some VBA programs might break after installing the security updates for the CVE-2020-0760 Microsoft Office remote code execution vulnerability released as part of the April 2020 Patch Tuesday.”
  19. “Cloudflare is experiencing outages in multiple components of its infrastructure including, the dashboard, API, and their Argo smart routing feature that are causing issues for some sites that are using them. Starting at approximately Apr 15, 15:38 UTC, Cloudflare began experiencing an internal infrastructure outage that took down numerous services used by web sites to administer their website, provide better routing, or clear caches via APIs.”
  20. “The New-Atomic feature lends some automation to the process and removes some of the drudgery of test creation by pre-populating much of the YAML file with contents that are largely static across tests. In addition to streamlining new test creation, contributors can use New-Atomic to generate new Atomic techniques, dependencies, and arguments.”
  21. “An exploit for a zero-day remote code execution vulnerability affecting the Zoom Windows client is currently being sold for $500,000, together with one designed to abused a bug in the video conferencing platform’s macOS client.”

#security #cybersecurity #itsecurity #privacy #chrome #google #phishing #iran #iuvm #attackerkb #lampion #cryptocurrency  #ppe #bec #cmmc #tencent #bugbounty #malspam #spam #cloudflare #zoom