Microsoft Edge – Password Monitor: Alert όταν σας κλέβουν κωδικούς πρόσβασης

 BySecNews 31 Μαρτίου 2020,



Ο Microsoft Edge εισάγει μια νέα υπηρεσία η οποία ονομάζεται “Password Monitor”. Η υπηρεσία αυτή, θα ειδοποιεί τους χρήστες εάν τα διαπιστευτήρια τους (Κωδικοί πρόσβασης κ.λ.π) έχουν διαρρεύσει σε παραβιάσεις δεδομένων.

Όσο ένας χρήστης χρησιμοποιεί την αυτόματη συμπλήρωση των στοιχείων σύνδεσης, ο Microsoft Edge θα τον ειδοποιήσει εάν τα στοιχεία αυτά έχουν διαρρεύσει, δείχνοντας του μια ειδοποίηση όταν ανοίξει “Νέα καρτέλα” ή όταν επισκεφτεί τη σελίδα που έχει προσβληθεί.

Εάν ο χρήστης πατήσει το κουμπί “Περισσότερες πληροφορίες” στις ειδοποιήσεις, θα μεταφερθεί στη σελίδα του “Password Monitor”, όπου θα μπορεί να δει τα διαπιστευτήρια που έχουν διαρρεύσει και να τα αλλάξει πολύ εύκολα, πατώντας απλά ένα κουμπί, το οποίο θα επιτρέψει την αλλαγή των στοιχείων για τη σελίδα από την οποία έχουν διαρρεύσει.

Πλέον, παραβιάσεις δεδομένων γίνονται καθημερινά, γι’ αυτό ο Microsoft Edge δεν είναι το μόνο πρόγραμμα περιήγησης το οποίο θέλει να προσφέρει μια παρόμοια υπηρεσία. Το Google Chrome, όπως και το Mozilla Firefox, επίσης δημιουργούν υπηρεσίες οι οποίες παρέχουν καλύτερη ασφάλεια για τα διαπιστευτήρια των χρηστών και επιτρέπουν σε αυτούς να χρησιμοποιούν μοναδικούς κωδικούς πρόσβασης σε κάθε σελίδα που επισκέπτονται.

Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins

By Sergiu Gatlan March 31, 2020 12:27 PM 0



A critical privilege escalation vulnerability found in the WordPress SEO Plugin – Rank Math plugin can allow attackers to give administrator privileges to any registered user on one of the 200,000 sites with active installations if left unpatched.

Rank Math is a WordPress plugin described by its developers as 'the Swiss army knife of WordPress SEO' and designed to help website owners to attract more traffic to their sites through search engine optimization (SEO).

The plugin comes with a setup wizard that configures it via a step-by-step installation process and features support for Google Schema Markup (aka Rich Snippets), keyword optimization, Google Search Console integration, Google keyword rank tracking, and a lot more.

Everyone is a WordPress admin

The Rank Math privilege escalation vulnerability was found by Defiant's Wordfence Threat Intelligence team in an unprotected REST-API endpoint.

Successfully exploiting this bug "allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site," according to Defiant QA engineer Ram Gall.

To make things even worse, attackers could also lock admins out of their sites by revoking their administrator privileges seeing that a lot of WordPress websites have a single admin user.

"Note that these attacks are only the most critical possibilities," Gall explains. "Depending on the other plugins installed on a site, the ability to update post, term, and comment metadata could potentially be used for many other exploits such as Cross-Site Scripting (XSS)."
Vulnerable REST route (Defiant)
Second vulnerability found in another REST-API endpoint

The researchers also discovered a second vulnerability that made it possible for unauthenticated attackers "to create redirects from almost any location on the site to any destination of their choice."

The bug was found in one of Rank Math's optional plugin modules that would help users to create redirects on their WordPress websites.

"This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site," according to Gall.

The development team released Rank Math 1.0.41 on March 26, a patched version with fixes for the REST API security issues reported by Defiant's research team on two days earlier on March 24.

As at least one of these two vulnerabilities is seen as critical, Rank Math users are strongly recommended to update to the latest version 1.0.41.2 that contains fixes for both issues.
WordPress sites under siege

Since the start of 2020, attackers have been attempting to take over WordPress websites by exploiting recently patched or zero-day bugs in plugins installed on hundreds of thousands of sites.

In late February attacks on tens of thousands of WordPress sites abusing critical bugs including a zero-day in multiple plugins were spotted by researchers while being used that could have lead to backdoors being planted and rogue admin​​​ accounts being created.

Hackers have also tried to compromise or wipe WordPress sites by exploiting vulnerable plugins with an approximated number of 1,250,000 active installations, as well as several bugs in the WordPress GDPR Cookie Consent plugin used by over 700,000 websites.

FBI warns of nation-state actors using the Kwampirs malware March 31, 2020 By Pierluigi Paganini

For the third time in a few weeks, the FBI has issued an alert about supply chain attacks carried out by nation-state actors using the Kwampirs malware.

The FBI has issued an alert about supply chain attacks using the Kwampirs malware as part of a hacking campaign carried out on a global scale by state-sponsored hackers.

The FBI has issued an alert on Monday about state-sponsored hackers using the Kwampirs malware to attack supply chain companies and other industry sectors as part of a global hacking campaign.

Feds warn of Coronavirus attacks aimed at organizations in the healthcare industry.

“Since at least 2016, the FBI has observed an Advanced Persistent Threat (APT) actor conduct a global network exploitation campaign using the Kwampirs Remote Access Trojan (RAT) and is providing additional, non-technical information in an effort to highlight key objectives of the actor campaign. This information, along with previously released FBI Liaison Alert System (FLASH) messages, is intended to enhance the network defense posture of public and private partners.” reads the alert issued by FBI.

The Kwampirs RAT is a modular RAT worm used as a reconnaissance tool, if compromised machine contains data of interest the backdoor “aggressively” spread among other systems with open network shares.

The RAT was first analyzed by Symantec researchers in April 2018, when the researchers uncovered the activity of a cyber espionage group tracked as Orangeworm that targeted organizations in the healthcare sector.

“The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies enable follow-on computer network exploitation (CNE) activities.” continues the alert. “Through victimology and forensic analysis, the FBI found heavily targeted industries include healthcare, software supply chain, energy, and engineering across the United States, Europe, Asia, and the Middle East. Secondary targeted industries include financial institutions and prominent law firms.”

The FBI already published two Flash alerts, one containing YARA rules related to the Kwampirs malware and a complete technical report of the threat.

According to the FBI, the group behind these attacks has been active since 2016, but a report published in 2018 by Symantec revealed that the Orangeworm APT was first spotted in January 2015.

Symanted pointed out that the APT group appears to be focused on the healthcare industry, 40% of the targets belong to this industry

The FBI confirmed that the APT group broke into target networks belonging to major transnational healthcare companies, hospital organizations, and other organizations in other industries.

“Kwampirs operations against global healthcare entities have been effective, gaining broad and sustained access to targeted entities. Targeted entities range from major transnational healthcare companies to local hospital organizations. The scope of infections has ranged from localized infected machine(s) to enterprise infections. During these campaigns, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware. The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.” states the FBI.

Another element that emerged from the FBI alert are the similarities between the Kwampirs malware and Disttrack, which is a wiper also known as Shamoon, that was employed in attacks attributed to Iran-linked APT groups.

At the time is not clear is the FBI issued the alert following recent attacks targeting healthcare organizations.




Pierluigi Paganini

Beware fraud and scams during Covid-19 pandemic

Criminals are using the Covid-19 pandemic to scam the public – don’t become a victim.

Law enforcement, government and private sectors partners are working together to encourage members of the public to be more vigilant against fraud, particularly about sharing their financial and personal information, as criminals seek to capitalise on the Covid-19 pandemic.

Criminals are experts at impersonating people, organisations and the police.

They spend hours researching you for their scams, hoping you’ll let your guard down for just a moment.

Stop: Taking a moment to stop and think before parting with your money or information could keep you safe.

Challenge: Could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.

Protect: Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud*.

Your bank or the police will NEVER ask you to transfer money or move it to a safe account.

Criminals are targeting people looking to buy medical supplies online, sending emails offering fake medical support and scamming people who may be vulnerable or increasingly isolated at home. These frauds try to lure you in with offers that look too good to be true, such as high return investments and ‘healthcare opportunities’, or make appeals for you to support bogus charities or those who are ill.

Reports from the public have already included online shopping scams where people have ordered protective face masks, hand sanitiser, and other products, which have never arrived and a number of cases have been identified where fake testing kits have been offered for sale.

Criminals are also using Government branding to try to trick people, including reports of using HMRC branding to make spurious offers of financial support through unsolicited emails, phone calls and text messages.

This situation is likely to continue, with criminals looking to exploit further consequences of the pandemic, such as exploiting financial concerns to ask for upfront fees for bogus loans, offering high-return investment scams, or targeting pensions.

Huge increases in the number of people working remotely mean that significantly more people will be vulnerable to computer service fraud where criminals will try and convince you to provide access to your computer or divulge your logon details and passwords. It is also anticipated that there will be a surge in phishing scams or calls claiming to be from government departments offering grants, tax rebates, or compensation.

Please see below for more information on the most common COVID-19 frauds and the steps you can take to keep yourself safe.

Online Shopping and Auction Fraud

More people may fall victim to #onlineshopping fraud as they self-isolate due to #COVID19. You are a victim of online shopping fraud if you buy goods from an online seller that never arrive.

Computer Software Service Fraud

As more people work from home due to #COVID19, fraudsters may capitalise on slow networks and IT problems, to commit computer software service fraud. Be wary of cold calls or unsolicited emails offering you help with your device or to fix a problem

Lender Loan Fraud

People may be worrying about their finances during the #COVID19 outbreak. Lender loan fraudsters will use the opportunity to:

- approve your application for a fast loan regardless of your credit history

- ask you to pay an upfront fee

- take your payment and never provide the loan

Pension Liberation Fraud and Investment Fraud

Fraudsters could try to take advantage of the financial uncertainty surrounding #COVID19 by offering people sham investment opportunities. If you get a cold call or unsolicited email offering you a deal that sounds too good to be true, it probably is.

Mandate Fraud

As more people work from home due to #COVID19, fraudsters may try to get you to change a direct debit, standing order or bank transfer mandate, to divert funds to their bank account, by purporting to be an organisation you make regular payments to.

Phishing

A number of #COVID19 related phishing emails have been reported to Action Fraud. These emails attempt to trick you into opening malicious attachments which could lead to fraudsters stealing your personal information, logins, passwords, or banking details.

Update 26/03: The Government has only sent one text message to the public regarding new rules about staying at home to prevent the spread of COVID-19. Any others claiming to be from UK Government are false.

“Criminals are able to use spoofing technology to send texts and emails impersonating organisations that you know and trust. We would remind anyone who receives an unexpected text or email asking for personal or financial details not click on the links or attachments, and don’t respond to any messages that ask for your personal or financial details.

Scam text 'issues fine' to people leaving house

 GETTY IMAGES

The message claims to have been sent by GOV.UK

A scam text has been sent telling people they are being given a £250 fine because they have been out of the house "more than once".

The message claims to have been sent by GOV.UK and claims the fine is due to "irresponsible behaviour".

It goes on to say the charge could increase to £5,000 and/or arrest and payment will be taken automatically.

West Mercia Police advised anyone who received the text to report it to Action Fraud UK.
Image Copyright @WMerciaPolice@WMERCIAPOLICE
Report

Windows 10 remote work bug: Microsoft races out this emergency fix

Windows 10 users can manually install the new patch to fix internet connectivity problems.

 By Liam Tung | March 31, 2020  | Topic: Working from home: The future of business is remote


Microsoft has released an emergency update to fix a Windows 10 bug that has been causing internet connectivity issues for users and preventing some Office 365 setups from reaching the cloud.

The company confirmed the internet connectivity bug on Thursday, which affected PCs and servers running all supported versions of Windows 10 devices that are using a proxy, especially with a virtual private network (VPN).

The bug couldn't have come at a worse time as employees work remotely en masse under government-sanctioned lockdowns or to practice social distancing amid the coronavirus COVID-19 pandemic.

The outbreak has led to a boom in the use of VPNs over the past three weeks, with internet-device search engine Shodan reporting this week that VPN use is up 33% while Remote Desktop Protocol (RDP) use is up 41% over the period.

Microsoft appears to have considered the bug extremely serious, last week estimating it should have a patch available in early April. But it has beaten that target, with an update now available to manually install from the Microsoft Update Catalog.

The patch is not being released to all users automatically via Windows Update, and Microsoft recommends that only users affected by the problem should install the fix.


"An out-of-band optional update is now available on the Microsoft Update Catalog to address a known issue whereby devices using a proxy, especially those using a virtual private network (VPN), might show limited or no internet connection status," Microsoft said on the Windows message center.

"We recommend you only install this optional update if you are affected by this issue."

There are updates available for Windows 10 version 1909 back through to version 1709.

The bug had the potential to be a serious drain on productivity for remote workers, depending how company applications had been configured.

Microsoft had warned that devices with the connectivity issue might also have problems reaching the internet using applications that use WinHTTP or WinInet. Affected applications included Microsoft Teams, Microsoft Office, Office365, Outlook, Internet Explorer 11, and some versions of Microsoft Edge.

The bug affected Windows 10 devices with updates installed from February 27 and onwards.

Distributed disruption: Coronavirus multiplies the risk of severe cyberattacks

 Marc Wilczek, COO, Link11
March 31, 2020

The coronavirus pandemic is upending everything we know. As the tally of infected people grows by the hour, global healthcare, economic, political, and social systems are bending and breaking under the strain, and for much of the world there’s no end in sight. But amid this massive wave of disruption, one thing hasn’t changed: the eagerness of cybercriminals to capitalize on society’s misfortune and uncertainty to sabotage, cripple, mislead and steal.



New states of emergency are being declared every day as the virus keeps spreading. Confirmed cases have meanwhile been reported in more than 150 countries on six different continents. Nations and organizations everywhere are working around the clock to flatten the COVID-19 curve by imposing remote work policies, travel bans, and self-isolation.

In an unprecedented time like this, the reliance on the Internet is growing exponentially, turning the data highway into an even more indispensable channel for communication, information sharing, commerce, and everyday social interaction.
The Internet lifeline

To prevent their phone lines from being overwhelmed with information requests, governments around the globe are making digital the default communication stream and directing citizens to the official websites of their health ministries or public health agencies for COVID-19 updates. People are hitting Facebook and other social media like never before to keep up with and share the latest news. Telecom giant Vodafone has reported a 50% surge in European internet use, and Netflix has been requested to cut its bitrate in Europe for 30 days in order to prevent the Internet from collapsing.

In this context, a cyberattack that denies organizations or families access to their devices or data could be catastrophic. In a worst-case scenario, one or more cyberattacks could cause broad-based infrastructure shutdowns that take whole communities or cities offline and further hinder already overburdened healthcare providers, transportation systems and networks.

Germany, Italy and Spain are among the many countries and jurisdictions (like New York and California) that have implemented draconian measures to limit the spread of the COVID-19 virus. Non-essential businesses have been made to close, and people to stay at home. Consequently, citizens are relying heavily on delivery services, which continue to operate. However, in Germany, cybercriminals recently unleashed a DDoS attack on one of the largest home delivery platforms, which affected customers and owners of more than 15,000 restaurants across the country. The criminals asked for two bitcoins (worth roughly $11,000) to stop the siege.

A few days earlier, the U.S. Department of Health and Human Services (HHS) suffered a DDoS attack, assumed to have been launched by a hostile foreign actor, aimed at slowing down the agency’s services amid the government’s rollout of a response to coronavirus. The incident allegedly tried to overload HHS servers with millions of hits in just hours. The attack in the US occurred just two weeks after Australia’s federal cyber agency warned that Australian banks were in the crosshairs of extensive DDoS extortion campaigns.

Especially digitally-advanced industries with a heavy dependence on internet connectivity are more vulnerable than ever. Europol’s “Internet Organised Crime Threat Assessment 2019” report notes that – besides the public sector and financial institutions – travel agents, Internet infrastructure, e-commerce, and online gaming services were lucrative targets for DDoS extortionists.
The perils of DDoS attacks on VPN servers

When it comes to remote work, VPN servers turn into bottlenecks. Keeping them secure and available is a number-one IT priority. Hackers can launch DDoS campaigns on VPN services and deplete their resources, knocking out the VPN server and limiting its availability. The implications are clear: Since the VPN server is the gateway to a company’s internal network, an outage can keep all employees working remotely from doing their job, effectively cutting off the entire organization from the outside world.

During an unprecedented time of peak traffic, the risk of a DDoS attack is growing exponentially. If the utilization of the available bandwidth is very high, it does not take much to cause an outage. In fact, even a tiny attack can become the last nail in the coffin. For instance, a VPN server or firewall can be taken down by a TCP blend attack with an attack volume as low as 1 Mbps. SSL-based VPNs are just as vulnerable to an SSL flood attack, as are web servers.

Making matters worse, many organizations either use in-house hardware appliances or rely on their Internet carrier to ward off incoming attacks. These deployment models tend to run with low levels of automation, requiring human intervention of some sort to operate. If someone or something throws a digital wrench into the system, fixing the problem remotely will be an uphill battle if there are few or no IT staff on-site. Since these deployment models typically require 10 or even 20 minutes before they even detect an incident, any attack will almost inevitably cause a major outage.
APIs and web apps broaden the attack surface

The Application Programming Interface (API) is a key part of every cloud service or web app. APIs enable service integration and interoperability – by, for instance, enabling any given app to process a payment from PayPal or a client’s credit account in order to complete the transaction. But they can also turn into single point of failure that expose companies to a wide variety of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a potentially devastating chain reaction.

Guarding against or managing application layer attacks – such as an HTTP/HTTPS flood – is especially difficult, as the malicious traffic is hard to distinguish from regular traffic. Layer-7 attacks are in that sense highly effective, as they require little bandwidth to create a blackout.
Cybercrime exploits anxiety

Cybercriminals take advantage of human foibles to break through systemic defenses. In a crisis, especially if prolonged, IT people run the risk of making mistakes they would not have made otherwise. Attackers might cut off system administrators from their own servers while they run virtually rampant through the company network, steal proprietary data, or ingest ransomware. Any downtime can alienate customers, erode trust and cause negative publicity, even anxiety.

Organizations should remain vigilant and prepare for attacks in advance, before they occur, as this sort of incident can be very difficult to respond to once the attack unfolds. Companies should also continue to opt for cloud services to take advantage of scalability, and higher bandwidth to maintain redundancy. Most importantly, during times of remote work and self-isolation, radical security automation is more important than ever in order to ensure an instant response and get human error out of the equation.

Hacker hijacks YouTube accounts to broadcast Bill Gates-themed crypto Ponzi scam

UPDATE: Microsoft says none of its verified accounts were hacked. YouTube has also intervened to take down the scam's live streams.

 By Catalin Cimpanu for Zero Day | March 30, 2020


Image: ZDNet

A hacker has hijacked tens of YouTube accounts, renamed them to various Microsoft brands, and is currently broadcasting a cryptocurrency Ponzi scam to tens of thousands of users, posing as a message from the company's former CEO Bill Gates.

The hacks are part of a growing issue on YouTube, where hackers hijack popular accounts to broadcast a classic "crypto giveaway" -- where victims are tricked into sending a small sum of cryptocurrency to the scammer in order double their earnings but never get any funds in return.

Such scams were once very common on Twitter, but have now moved to YouTube in recent months as Twitter began cracking down on users posing as verified accounts.

At the time of writing, a hacker appears to have taken over 30+ YouTube profiles from where they are live streaming an old Bill Gates talk on startups that the former Microsoft CEO gave to an audience at Village Global in June 2019, but also asking users to participate in a scammy giveaway.

Image: ZDNet

The cryptocurrency Ponzi scheme is currently live streaming on the YouTube accounts using names such as Microsoft US, Microsoft Europe, Microsoft News, and others. Spokespersons for Microsoft and YouTube denied that hackers breached any of Microsoft's verified official accounts, although some users reported scam streams appearing on non-verified Microsoft accounts.

However, the vast majority of live streams were airing on YouTube channels with high subscriber counts, hijacked from YouTube users and later renamed to appear as legitimate Microsoft accounts, in an attempt to amplify the hack and give it an air of legitimacy.

Some of the Bitcoin addresses listed in the scams had received thousands of US dollars at the time of writing, suggesting the scam had fooled at least some users.


Based on YouTube stream stats, tens of thousands have seen the video feeds.

Microsoft was not the only organization impacted by the mass hijack and defacement incident. The Chaos Computer Club, a famous Germany-based hacking community, has also had its account hijacked to broadcast a similar message. The YouTube account of YouTube's founder was also hacked in the same manner in January. Furthermore, the Microsoft CEO is not the only popular figure to have his name abused in this way. Many past crypto-scams impersonated figures from the cryptocurrency community.

Linux's WireGuard VPN is here and ready to protect you

By Steven J. Vaughan-Nichols for Networking | March 30, 2020

In the newly released Linux 5.6 kernel, you'll finally find the long anticipated open-source Virtual Private Network, WireGuard.

Linus Torvalds has released the newest version of the Linux 5.6. It includes many new and neat features like USB4 support, a fix for the 32-bit Epoch problem, multi-path TCP, and numerous driver patches. The biggest news of all s that Linux now has the popular open-source Virtual Private Network (VPN) WireGuard baked in.

WireGuard is a radical new approach to VPNs. With its minimal codebase -- about 4,000 lines of code -- it's much easier to debug and secure than its rivals such as OpenVPN with its over 100,000 lines.

Torvalds himself loves WireGuard for its simplicity. Long before he incorporated WireGuard into Linux, Tovalids said "Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."

It may be simple, but it supports the most up-to-date cryptography technologies such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKD. It's also been shown to be secure by an academic mechanized cryptographic proof.

The final major hurdle WireGuard faced in its acceptance was maintaining compatibility with Linux's built-in cryptographic subsystem. In the end, WireGuard's primary developer Jack Donenfeld built-in cryptographic compatibility. The traditional subsystem also now includes features from Donenfeld's Zinc cryptographic library.

While it's home is on Linux, WireGuard is designed as a general-purpose VPN for everything from Internet-of-Things (IoT) devices to supercomputers. It's also cross-platform with support for the BSD Unixes, MacOS, Windows on computers, and Android and iOS on smartphones.

Linux users, who don't usually touch early Linux kernel builds, will soon be able to give it a try. Donenfeld wrote: "The usual up-to-date distributions like Arch, Gentoo, and Fedora 32 will be getting WireGuard automatically by virtue of having 5.6."


But even if you don't run leading, bleeding-edge Linux distros like these, you'll be getting WireGuard soon, too. Donenfeld added: "On the backports front, WireGuard was backported to Ubuntu 20.04 and Debian Buster." It may end up backported to Linux 5.4, long-term support (LTS) kernel. This will bring WireGuard to almost all 2020 Linux distro releases.

Simple, fast, and secure. WireGuard promises to not only be the future of Linux VPNs but of all VPN programs. Some companies, such as Mullvad VPN, are always shipping it. Others, all the others, soon will be.

COVID-19: Hackers Begin Exploiting Zoom's Overnight Success to Spread Malware

March 30, 2020Ravie Lakshmanan
 

As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices.

According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone.

"We see a sharp rise in the number of 'Zoom' domains being registered, especially in the last week," said Omer Dembinsky, Manager of Cyber Research at Check Point.

"The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure, and exploit. Each time you get a Zoom link or document messaged or forwarded to you, I'd take an extra look to make sure it's not a trap."


With over 74,000 customers and 13 million monthly active users, Zoom is one of the most popular cloud-based enterprise communication platforms that offers chat, video and audio conferencing, and options to host webinars and virtual meetings online.

The popularity of Zoom has shot up significantly in recent weeks as millions of students, business people, and even government employees across the world are forced to work and socialize from home during coronavirus pandemic.



The report comes following a significant increase in the number of malicious coronavirus-related domains, with bad actors finding new ways to profit off the global health concern to stage a variety of malware attacks, phishing campaigns, and create scam sites and malicious tracker apps.

What's more, the researchers said they detected malicious files with the name "zoom-us-zoom_##########.exe," which when executed, installed potentially unwanted programs (PUPs) such as InstallCore, a dodgy bundleware application that's known to install other kinds of malware.

But Zoom is not the only app to be targeted by cybercriminals. With schools turning to online learning platforms to keep students occupied, Check Point researchers said they also discovered phishing sites masquerading as the legitimate Google Classroom (e.g., googloclassroom\.com and googieclassroom\.com) website to trick unwitting users into downloading malware.


Zoom Fixes Privacy Issue in Its iOS App
Zoom, for its part, has had its share of privacy and security issues too. Last year, the video conferencing app fixed a vulnerability that could let websites hijack users' webcam and "forcibly" join them to a Zoom call without their permission.


Then earlier this January, the company squashed another bug that could have allowed attackers to guess a meeting ID and join an unprotected meeting, potentially exposing private audio, video, and documents shared throughout the session. Following the disclosure, Zoom introduced default passwords for each meeting that participants need to enter when joining by manually entering the meeting ID.

And finally, just over the weekend, Zoom updated its iOS app after it was caught sending device information and a unique advertiser identifier to Facebook using the social network's software development kit (SDKs) and concerns were raised over its failure to disclose data sharing in its privacy policy.

Highlighting some of the privacy risks associated with using Zoom's products, The Electronic Frontier Foundation (EFF) said hosts of Zoom calls can see if participants have the Zoom video window active or not to track if they are paying attention. Administrators can also see the IP address, location data, and device information of each participant.

To safeguard yourself from such threats, it's essential that the apps are kept up-to-date, and be on the lookout for emails from unknown senders and lookalike domains that contain spelling errors.

Besides this, also don't open unknown attachments or click on links in the emails, the cure for Corona will not arrive via email and also ensure ordering goods from an authentic source only.

Hackers sending malware infected USBs with Best Buy Gift Cards

By  WAQAS HACKREAD 

The infamous FIN7 hacking group is behind this
campaign.

The IT security researchers at Trustwave SpiderLabs have identified a new and tricky attack campaign utilizing especially designed USB dongle that acts as a keyboard. In their research, the Trustwave shared details of one of its clients in the US who received malicious USB dongle shipped to their company as a gift card from Best Buy.

The incident has received so much attention that the FBI had to issue a warning stating that this is the work of cybercrime syndicate known as Fin7, and it is specifically targeting businesses by sending them infected USB devices.

See: Employee infects US govt network with malware after visiting 9,000 porn sites

The attack work in such a way that once these devices are plugged into the PC it downloads and runs a JavaScript backdoor. This technique is usually associated with security researchers for training purposes and it is perhaps the first time that hackers have attempted to use it on a large scale.

According to Trustwave SpiderLabs’ vice president Ziv Mador, the company was notified about this campaign from one of their team members’ business associate, and that a US-based hospitality sector firm received the malicious USB dongle in February.

The USB drive was intelligently packaged by the attackers as the company that received the Best Buy $50 gift card with the drive revealed that the package contained a genuine-looking letter bearing the logo of Best Buy.


Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick. Thank you again for choosing us!, said the letter sent to the company.

Here is a full preview of the letter:


Image provided by Trustwave

Furthermore, they were asked to spend the amount on different items, and the list of items was supposedly stored on the USB drive, which the recipient has to plug into the device to check the list. However, the recipient was well-trained and didn’t do as directed and instead, sent the device for further analysis.

Researchers maintain that this USB drive is an Arduino microcontroller ATMEGA32U4 and infected with GRIFFON malware. The USB is designed to behave like a USB keyboard primarily because such keyboards are compatible with almost all kinds of systems and injecting malicious commands is easier.

In this campaign, the USB drive executes an array of obscured PowerShell commands to upload the device’s system configuration data on a C&C server operated by the attacker(s) and wait for more instructions from the attacker(s).


How the attack works – Image via Trustwave

Researchers urge that businesses must not insert any USB devices that they receive unexpectedly into their systems no matter how attractively it has been disguised or how large the attached gift card is.

See: 8 Technologies That Can Hack Into Your Offline Computer and Phone

While this time it is the FIN7 hacking group sending out malicious USBs, in May 2017, IBM sent off USB sticks infected with malware while in September 2018, Schneider electric also shipped USB drives loaded with malware. In January 2018, Police in Taiwan distributed malware-infected USBs as cybersecurity quiz prizes – oh the irony!

If you care for your business, you need to educate yourself and employees on cyber security. Check our in-depth post explaining how a USB could become a security risk for your device and impact your business

Phishing Attack Says You're Exposed to Coronavirus, Spreads Malware

By Lawrence Abrams March 29, 2020 12:12 PM 0



A new phishing campaign has been spotted that pretends to be from a local hospital telling the recipient that they have been exposed to the Coronavirus and that they need to be tested.

With the Coronavirus pandemic affecting all corners of the world, we continue to see phishing actors try to take advantage of the fear and anxiety it is provoking to scare people into opening malicious email attachments.

In a new low, a threat actor is pretending to be from a local hospital telling the recipient that they have been in contact with a colleague, friend, or family member who has tested positive for the COVID-19 virus.

The email then tells the recipient to print the attached EmergencyContact.xlsm attachment and bring it with them to the nearest emergency clinic for testing.
Coronavirus-themed phishing email

The text of this email reads:Dear XXX You recently came into contact with a colleague/friend/family member who has COVID-19 at Taber AB, please print attached form that has your information prefilled and proceed to the nearest emergency clinic. Maria xxx The Ottawa Hospital General Campus 501 Smyth Rd, Ottawa, ON K1H 8L6, Canada


When a user opens the attachment. they will be prompted to 'Enable Content' to view the protected document.
Malicious attachment

If a user enables content, malicious macros will be executed to download a malware executable to the computer and launch it.

This executable will now inject numerous processes into the legitimate Windows msiexec.exe file. This is done to hide the presence of the running malware and potentially evade detection by security programs.

In a cursory analysis, BleepingComputer saw that the malware performed the following behavior:
Search for and possibly steal cryptocurrency wallets.
Steals web browser cookies that could allow attackers to log in to sites with your account.
Gets a list of programs running on the computer.
Looks for open shares on the network with the net view /all /domain command.
Gets local IP address information configured on the computer.

During this crisis, it is important for everyone to be especially careful of any Coronavirus-related emails that they receive and to not open any attachments.

Instead, you should look up the number for the alleged sender and contact them via phone to confirm the email and the enclosed information.

Furthermore, if you are looking for the latest trust Coronavirus information you should go to the sites for the CDC, WHO, or your local health department instead rather than risk opening an attachment from a stranger.

Hackers Used Local News Sites to Install Spyware On iPhones

March 27, 2020Ravie Lakshmanan
A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.

According to research published by Trend Micro and Kaspersky, the "Operation Poisoned News" attack leverages a remote iOS exploit chain to deploy a feature-rich implant called 'LightSpy' through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.

Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim's device and load it with malware.


The APT group, dubbed "TwoSail Junk" by Kaspersky, is said to be leveraging vulnerabilities present in iOS 12.1 and 12.2 spanning all models from iPhone 6 to the iPhone X, with the attacks first identified on January 10, before intensifying around February 18.


Using Malicious Links as Bait to Install Spyware
The campaign uses fake links posted on multiple forums, all popular with Hong Kong residents, that claim to lead to various news stories related to topics that are either sex-related, clickbait, or news related to the ongoing COVID-19 coronavirus pandemic.



Clicking the URLs lead the users to legitimate news outlets that have been compromised as well as websites set up specifically for this campaign (e.g., hxxps://appledaily.googlephoto[.]vip/news[.]html) by the operators. In both situations, a hidden iframe is employed to load and execute malicious code.

"The URLs used led to a malicious website created by the attacker, which in turn contained three iframes that pointed to different sites," Trend Micro researchers said. "The only visible iframe leads to a legitimate news site, which makes people believe they are visiting the said site. One invisible iframe was used for website analytics; the other led to a site hosting the main script of the iOS exploits."



The malware in question exploits a "silently patched" Safari vulnerability, which when rendered on the browser leads to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605) that allows an attacker to execute arbitrary code with root privileges — in this case, install the proprietary LightSpy backdoor. The bug has since been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.

The spyware is not just capable of remotely executing shell commands and taking full control of the device. It also contains a variety of downloadable modules that allow for data exfiltration, such as contact lists, GPS location, Wi-Fi connection history, hardware data, iOS keychains, phone call records, mobile Safari and Chrome browser history, and SMS messages.


In addition, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.


A Surveillance Operation Targeting Southeast Asia
It is suspected the TwoSail Junk gang is connected to, or possibly the same, as the operators of "dmsSpy," an Android variant of the same malware that was distributed last year through open Telegram channels under the guise of Hong Kong protest calendar apps among others.

"dmsSpy's download and command-and-control servers used the same domain name (hkrevolution[.]club) as one of the watering holes used by the iOS component of Poisoned News," the researchers observed.

Once installed, these rogue Android apps harvested and exfiltrated contacts, text messages, the user's location, and the names of stored files.

"This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia," Kaspersky researchers concluded.

Trend Micro, for its part, suggested the design and functionality of the campaign aim to compromise as many mobile devices as possible to enable device backdooring and surveillance.

To mitigate such threats, it's essential that users keep their devices up-to-date and avoid sideloading apps on Android from unauthorized sources.

Tekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times Worldwide From Google Play

By GURUBARAN S - March 27, 2020 0



Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
‘USER_PRESENT’ in order to detect when the user is actively using the device
‘QUICKBOOT_POWERON’ to allow code running after device restart


The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps
Package_name Gp Installs
caracal.raceinspace.astronaut 100000
com.caracal.cooking 100000
com.leo.letmego 100000
com.caculator.biscuitent 50000
com.pantanal.aquawar 50000
com.pantanal.dressup 50000
inferno.me.translator 50000
translate.travel.map 50000
travel.withu.translate 50000
allday.a24h.translate 10000
banz.stickman.runner.parkour 10000
best.translate.tool 10000
com.banzinc.littiefarm 10000
com.bestcalculate.multifunction 10000
com.folding.blocks.origami.mandala 10000
com.goldencat.hillracing 10000
com.hexa.puzzle.hexadom 10000
com.ichinyan.fashion 10000
com.maijor.cookingstar 10000
com.major.zombie 10000
com.mimochicho.fastdownloader 10000
com.nyanrev.carstiny 10000
com.pantanal.stickman.warrior 10000
com.pdfreader.biscuit 10000
com.splashio.mvm 10000
com.yeyey.translate 10000
leo.unblockcar.puzzle 10000
mcmc.delicious.recipes 10000
mcmc.delicious.recipes 10000
multi.translate.threeinone 10000
pro.infi.translator 10000
rapid.snap.translate 10000
smart.language.translate 10000
sundaclouded.best.translate 10000
biaz.jewel.block.puzzle2019 5000
biaz.magic.cuble.blast.puzzle 5000
biscuitent.imgdownloader 5000
biscuitent.instant.translate 5000
com.besttranslate.biscuit 5000
com.inunyan.breaktower 5000
com.leo.spaceship 5000
com.michimocho.video.downloader 5000
fortuneteller.tarotreading.horo 5000
ket.titan.block.flip 5000
mcmc.ebook.reader 5000
swift.jungle.translate 5000
com.leopardus.happycooking 1000
com.mcmccalculator.free 1000
com.tapsmore.challenge 1000
com.yummily.healthy.recipes 1000
com.hexamaster.anim 500
com.twmedia.downloader 100
com.caracal.burningman 50
com.cuvier.amazingkitchen 50
bis.wego.translate 0
com.arplanner.sketchplan 0
com.arsketch.quickplan 0
com.livetranslate.best 0
com.lulquid.calculatepro 0
com.smart.tools.pro 0
com.titanyan.igsaver 0
hvt.ros.digiv.weather.radar 0
md.titan.translator 0
scanner.ar.measure 0
toolbox.artech.helpful 0
toolkit.armeasure.translate 0


This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.