Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Thursday, April 2, 2020

Coronavirus ‘Financial Relief’ Phishing Attacks Spike




Author:Lindsey O'Donnell
April 1, 2020 3:48 pm


A spate of phishing attacks have promised financial relief due to the coronavirus pandemic – but in reality swiped victims’ credentials, payment card data and more.


Researchers are warning of an upward surge in social-engineering lures in malicious emails that promise victims financial relief during the coronavirus pandemic.

The slew of campaigns piggy-back on news of governments mulling financial relief packages, in response to the economic stall brought on by consumers social distance themselves. This latest trend shows cybercriminals continuing to look to the newest developments in the coronavirus saga as leverage for phishing campaigns, targeted emails spreading malware and more.

“These campaigns use the promise of payments by global governments and businesses (specifically financial institutions) aimed at easing the economic impact of the ongoing pandemic to urge users to click links or download files,” said Proofpoint researchers, in analysis released Wednesday.


One credential-phishing campaign has been spotted primarily targeting U.S. healthcare and higher-education organizations (as well as the technology industry, including information-security companies), with a message purporting to be from their payroll departments.

The emails, titled “General Payroll !” explain that the Trump administration “is considering” sending most American adults a check to help stimulate the economy.

“The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” says the message. “All staff/faculty & employee include student are expected to verify their email account for new payroll directory and adjustment for the month of March benefit payment.”

Researchers said that these emails come with plenty of red flags, including their “crude design,” with clear grammatical and spelling errors as can be seen above. The messages also use a basic web page that’s clearly branded by a free website maker for its phishing landing page.

The message asks recipients to verify their email accounts through a malicious link (called the “MARCH-BENEFIT secure link”) that directs them to a phishing page. This phishing page then asks for their usernames, email addresses and passwords tied to their employee benefits.



Researchers pointed to similar phishing campaigns in Australia and the U.K. In Australia, a campaign was discovered using emails claiming to be from a major Australian newspaper and using the subject line, “Government announces increased tax benefits in response to the coronavirus.” These email messages contain a PDF attachment with an embedded URL that leads to a phishing page, where victims are asked to input their Microsoft OneDrive credentials.

In the U.K., a large email campaign was uncovered targeting manufacturing, technology, transportation, healthcare, aerospace, retail, energy, technology, business services and hospitality companies. The campaign emails claim to be from a major (unnamed) United Kingdom bank. It offers 300 Singapore dollars (approximately $210 USD) as financial support, and tells the recipient to “Start Here” to claim the money by clicking on a link. That then leads them to the attacker-controlled landing page that asks for their name, address and credit-card number.

Another, smaller campaign targets technology and IT organizations, purporting to be from the World Health Organization (WHO) and the International Monetary Fund (IMF). These emails, sent with a subject line of “COVID 19 : Relief Compensation,” tells recipients they have been “randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak” and asks them to learn more by clicking on an fake Microsoft Excel-branded attachment that gathers emails and passwords.

Attackers continue to leverage coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams. Researchers warned that users should continue to be on the lookout for phishing emails playing into fears around the coronavirus pandemic.

Zeus Sphinx for instance was recently spotted joining the growing fray of COVID-19-themed phishing and malspam campaigns, using a government-assistance lure.

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale, and these recent payment-related lures underscore that threat actors are paying attention to new developments,” researchers said. “We anticipate threat actors will continue modifying their strategies as the news surrounding COVID-19 shifts.”

There's now COVID-19 malware that will wipe your PC and rewrite your MBR

Security researchers have discovered coronavirus-themed malware created to destroy users' computers.




By Catalin Cimpanu for Zero Day | April 2, 2020 -- 02:32 GMT (03:32 BST) | Topic: Coronavirus: Business and technology in a pandemic


With the coronavirus (COVID-19) pandemic raging all over the globe, some malware authors have developed malware that destroys infected systems, either by wiping files or rewriting a computer's master boot record (MBR).

With help from the infosec community, ZDNet has identified at least five malware strains, some distributed in the wild, while others appear to have been created only as tests or jokes.

The common theme among all four samples is that they use a coronavirus-theme and they're geared towards destruction, rather than financial gain.

MBR-rewriting malware

Of the four malware samples found by security researchers this past month, the most advanced were the two samples that rewrote MBR sectors.

Some advanced technical knowledge was needed to create these strains as tinkering with a master boot record is no easy feat and could easily result in systems that didn't boot at all.

The first of the MBR-rewriters was discovered by a security researcher that goes by the name of MalwareHunterTeam, and detailed in a report from SonicWall this week. Using the name of COVID-19.exe, this malware infects a computer and has two infection stages.


In the first phase, it just shows an annoying window that users can't close because the malware has also disabled the Windows Task Manager.

Image: SonicWall

While users attempt to deal with this window, the malware is silently rewriting the computer's master boot record behind their back. It then restarts the PC, and the new MBR kicks in, blocking users into a pre-boot screen.

Users can eventually regain access to their computers, but they'll need special apps that can be used to recover and rebuild the MBR to a working state.

Image: SonicWall

But there was a second coronavirus-themed malware strain that re-wrote the MBR. This one is a far more convoluted malware operation.

It posed as the "CoronaVirus ransomware" but it was only a facade. The malware's primary function was to steal passwords from an infected host and then mimic ransomware to trick the user and mask its real purpose.

However, it wasn't ransomware either. It only posed as one. Once the data-stealing operations ended, the malware entered into a phase where it rewrote the MBR, and blocked users into a pre-boot message, preventing access to their PCs. With users seeing ransom notes and then not being able to access their PCs, the last thing users would thing to do is to check if someone exfiltrated passwords from their apps.

Image: Bleeping Computer

According to analysis from SentinelOne security researcher Vitali Kremez and Bleeping Computer, the malware also contained code to wipe files on the user's systems, but this didn't appear to be active in the version they analyzed.

Furthermore, this one was also spotted twice, with a second version discovered by G DATA malware researcher Karsten Hahn, two weeks later. This time, the malware kept the MBR-rewriting capabilities but replaced the data wiping feature with a functional screen-locker.



Karsten Hahn@struppigel

At first this seems like a simple screenlocker, but it infects the MBR as well.
Same MBR as the Coronavirus ransomware found by @malwrhunterteam

The MBR is from a builder by someone called #WobbyChip. https://www.virustotal.com/gui/file/fba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad/detection …


40
6:00 PM - Mar 26, 2020
Twitter Ads info and privacy
24 people are talking about this

DATA WIPERS

But security researchers have spotted more than coronavirus-themed MBR-rewriters. They also spotted two data wipers.

Both were discovered by MalwareHunterTeam.

The first was spotted back in February. It used a Chinese file name, and most likely targeted Chinese users, although we don't have information if it was distributed in the wild or was just a test.

The second was spotted yesterday, and this one was found uploaded on the VirusTotal portal by someone located in Italy.

MalwareHunterTeam described both strains as "poor wipers" because of the inefficient, error-prone, and time-consuming methods they used to erase files on infected systems. However, they worked, which made them dangerous if ever spread in the wild.



MalwareHunterTeam@malwrhunterteam

"alcuni accorgimenti da prendere per il Covid-19\.zip" -> "Covid-19.exe" (60e9dfe954acf0b02a5b35f367cf36ae2bc9b12e02aa3085495c5d8c4c94611c) -> dropped "Covid-19.bat", which is a poor wiper...
Seen from Italy.
Not sure it worse if it was created as joke or seriously.@JAMESWT_MHT


7
7:23 PM - Apr 1, 2020
Twitter Ads info and privacy
See MalwareHunterTeam's other Tweets


It might seem weird that some malware authors create destructive malware like this, but it's not the first time that this happened. For every financially-motivated malware strain that security researchers discover, there's also one that was created as a joke, just for the giggles. Something similar happened during the WannaCry ransomware outbreak in 2017, when days after the original WannaCry ransomware encrypted computers all over the world, there were countless of clones doing the same thing for no apparent reason.

WinRAR: Κυκλοφόρησε η έκδοση 5.90 για Windows, Linux, Mac και Android



BySecNews 1 Απριλίου 2020



WinRAR: Κυκλοφόρησε η έκδοση 5.90 για Windows, Linux, Mac και Android: Το WinRAR 5.90 Final κυκλοφόρησε με πολλές βελτιώσεις επιδόσεων και διορθώσεις σφαλμάτων για τα λειτουργικά συστήματα Windows, Mac, Linux και Android.

Όσοι δεν το γνωρίζουν, το WinRar είναι ένα λογισμικό συμπίεσης και αποσυμπίεσης αρχείων από το RARLAB, το οποίο υποστηρίζει τις διανομές ARJ, BZIP2, CAB, GZ, ISO, JAR, LHA, RAR, TAR, UUE, XZ, Z, ZIP, ZIPX, 7z και 001.

Επίσης, υπάρχει και free trial του προγράμματος, δηλαδή μπορείτε να χρησιμοποιήσετε το WinRAR για συγκεκριμένο χρονικό διάστημα πριν το αγοράσετε.

Όπως ήδη αναφέραμε, το WinRAR 5.90 έρχεται με αρκετές βελτιώσεις στην απόδοση, όπως καλύτερη υποστήριξη της CPU και μεγαλύτερο αριθμό των threads. Παρακάτω θα δείτε αναλυτικά τις πιο σημαντικές αλλαγές οι οποίες υπάρχουν στη νέα έκδοση.
Μεγαλύτερη ταχύτητα συμπίεσης για επεξεργαστές με 16 και περισσότερους πυρήνες.
Υψηλότερη αναλογία συμπίεσης για τη μορφή RAR5.
Ο μέγιστος αριθμός των threads αυξάνεται από 32 στα 64. Η εντολή -mt μπορεί πλέον να πάρει τιμές από το 1 έως το 64.
Η παράμετρος “Multithreading” αντικαταστάθηκε από “Threads”. Εδώ μπορείτε να ορίσετε τον αριθμό των threads με τιμές από 1 έως τον αριθμό των threads που έχει ο επεξεργαστής σας.
Το WinRAR πλέον δείχνει το μέγεθος των συμπιεσμένων αρχείων.
Προστέθηκε πεδίο «Συνολικοί φάκελοι» στις παραμέτρους που εμφανίζονται από την εντολή “Info”.
Πλέον υπάρχει παράθυρο το οποίο εμφανίζει την πρόοδο και έχει κουμπί ακύρωσης για μορφές οι οποίες παίρνουν περισσότερο χρόνο. Π.χ: tar.gz και tar.bz2.
Δίνεται η δυνατότητα να αλλάζουμε το μέγεθος των παραθύρων.
Μεγάλη βελτίωση του αρχείου ανάκτησης μορφής RAR5.
Πλέον μπορεί να χρησιμοποιηθεί η εντολή ανάκτησης για αρχεία RAR5, χωρίς να εισάγουμε κωδικός.
Εάν δεν υπάρχει ο φάκελος της εντολής “Convert archives”, το πρόγραμμα προσπαθεί να τον δημιουργήσει. Αυτό δεν γινόταν στις παλαιότερες εκδόσεις του WinRAR.
Προστέθηκε υποστήριξη εξαγωγής για GZIP αρχεία.

Διορθωμένα σφάλματα:
Η εντολή “repair” η οποία έδειχνε ότι το αρχείο ανάκτησης δεν είναι έγκυρο, ενώ στη πραγματικότητα ήταν.
Το σφάλμα όπου το WinRAR αγνοούσε την επιλογή “quick open information” (αν αυτή ήταν “Do not add”) όταν αναζητούσε περιεχόμενα.
Η συντόμευση Ctrl+C πλέον λειτουργεί στο παράθυρο των σχολίων του αρχείου.
Το σφάλμα όπου το WinRAR αγνοούσε τη διαδρομή προορισμού στην επικεφαλίδα των αρχείων αν η επιλογή να δημιουργήσει ξεχωριστά έγγραφα για κάθε αρχείο ήταν ενεργή.

Wednesday, April 1, 2020

Indian Cybercrime Officials Release a List of Potentially Dangerous Coronavirus-related Domains


By CISOMAG - March 30, 2020




COVID-19 has affected several lives and businesses globally and is steadily increasing its spread. According to the government of India, the total number of active cases of Coronavirus in the country, as of March 30, 2020, is standing at,942and the death toll stands at 29. The government of India has been taking all the necessary precautions to contain the spread of the virus.

While the government and public are taking stringent actions against the transmission of COVID-19, opportunistic cybercriminals are taking advantage of the situation to exploit internet users. Multiple Coronavirus-related scams, phishing websites, malicious maps, and spam messages were reported often in recent times.

Recently, the cybercrime division of New Delhi, India, warned the public to be vigilant about malicious Coronavirus-related websites. The officials also tweeted a list of fake or potentially dangerous websites, urging people not to click on them.

Following domains are listed as potentially dangerous:
coronavirusstatus[.]space
coronavirus-map[.]com
canalcero[.]digital
coronavirus[.]zone
coronavirus-realtime[.]com
coronavirus[.]app
coronavirusaware[.]xyz
coronavirusaware[.]xyz
corona-virus[.]healthcare
survivecoronavirus[.]org
vaccine-coronavirus[.]com
coronavirus[.]cc
bestcoronavirusprotect[.]tk
coronavirusupdate[.]tk

The cybercrime officials also released a report, “Cybercrime Threat in Wake of Rampant Corona Virus,” in order to educate online users on how cybercriminals are capitalizing the Coronavirus outbreak. “Fake links related to the pandemic are sent by criminals claiming to be health authorities, with the aim of tricking victims into connecting to a specific webpage and to login their real email address and password. Scammers then use their credentials to access sensitive information and potentially to steal their money,” the report stated.

Cyberattacks via Malicious Coronavirus Map

Recently, a security researcher named Shai Alfasi discovered that threat actors are spreading malware disguised as “Coronavirus Map” to steal personal information like usernames, passwords, credit card numbers, and other sensitive information that is stored on the user’s browser. Attackers designed multiple websites related to Coronavirus information to prompt users to click/download an application to keep them updated about the situation. The website displays a map representing COVID-19 spread, which then generates a malicious binary file and installs it on the victim’s devices.

How to Secure Your Zoom Meetings from Zoom-Bombing Attacks


By Lawrence Abrams March 31, 2020



Since countries have begun enforcing shelter-in-place and stay-at-home orders during the Coronavirus pandemic, the Zoom video conferencing software has become a popular way to keep in touch with friends and family, and even to join online fitness classes.

However. with Zoom's rise in popularity, a type of attack called 'Zoom-bombing' has also seen more and more activity.

Zoom-bombing is when someone gains unauthorized access to a Zoom meeting to harass the meeting participants in various ways to spread and hate and divisiveness, or to record pranks that will be later shown on social media.

Just yesterday, the FBI released an advisory warning Zoom users that they should properly secure their browsers from Zoom-bombing attacks.

"The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language," the alert published by the FBI warned.

This guide will walk you through securing your Zoom meetings so that virtual get-togethers, meetings, exercise classes, and even happy hours are not Zoom-bombed by unauthorized users.
Privacy considerations when using Zoom

Before we get into learning how to use Zoom, it is important to consider the privacy ramifications of participating in Zoom meetings.

One of the most important things to remember is that a Host can record a Zoom session, including the video and audio, to their computer. Therefore, be careful saying or physically 'revealing' anything that you would not want someone else to potentially see or know about.

Meeting participants will know when a meeting is being recorded as there will be a 'Recording...' indicator displayed in the top left of the meeting as shown below.



It is also important to remember that a user can download their chat logs before leaving a meeting. These logs will only contain messages that you could see, but not the private chat messages of other users.

Finally, it has been reported that there is no true end-to-end encryption (E2E) between Zoom users' endpoints.

What this means is that only the communication between a meeting participant and Zoom's servers is encrypted, while the related meeting data traversing over Zoom's network is not.

This theoretically means that a Zoom employee could monitor a meeting's traffic and snoop on it, but Zoom has told The Intercept that there are safeguards in place to prevent this type of activity.

"Zoom has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including — but not limited to — the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone."
Securing your Zoom meetings

Now that you know the potential privacy risks of using Zoom, before scheduling a meeting with friends or coworkers, you can familiarize yourself with the various ways you can secure Zoom meetings using the steps below.
Add a password to all meetings!

When creating a new Zoom meeting, Zoom will automatically enable the "Require meeting password" setting and assign a random 6 digit password.



You should not uncheck this option as doing so will allow anyone to gain access to your meeting without your permission.
Use waiting rooms

Zoom allows the host (the one who created the meeting) to enable a waiting room feature that prevents users from entering the meeting without first being admitted by the host.

This feature can be enabled during the meeting creation by opening the advanced settings, checking the 'Enable waiting room' setting, and then clicking on the 'Save' button.
Enable waiting room setting

When enabled, anyone who joins the meeting will be placed into a waiting room where they will be shown a message stating "Please wait, the meeting host will let you in soon."

The meeting host will then be alerted when anyone joins the meeting and can see those waiting by clicking on the 'Manage Participants' button on the meeting toolbar.



You can then hover your mouse over each waiting user and 'Admit' them if they belong in the meeting.
Admit a person into the meeting
Keep Zoom client updated

If you are prompted to update your Zoom client, please install the update.

The latest Zoom updates enable Meeting passwords by default and add protection from people scanning for meeting IDs.

With Zoom being so popular at this time, more threat actors will also focus on it to find vulnerabilities. By installing the latest updates as they are released, you will be protected from any discovered vulnerabilities.
Do not share your meeting ID

Each Zoom user is given a permanent 'Personal Meeting ID' (PMI) that is associated with their account.

If you give your PMI to someone else, they will always be able to check if there is a meeting in progress and potentially join it if a password is not configured.

Instead of sharing your PMI, create new meetings each time that you will share with participants as necessary.
Disable participant screen sharing

To prevent your meeting from being hijacked by others, you should prevent participants other than the Host from sharing their screen.

As a host, this can be done in a meeting by clicking on the up arrow next to 'Share Screen' in the Zoom toolbar and then clicking on 'Advanced Sharing Options' as shown below.



When the Advanced Sharing Options screen opens, change the 'Who Can Share?' setting to 'Only Host'.



You can then close the settings screen by clicking on the X.
Lock meetings when everyone has joined

If everyone has joined your meeting and you are not inviting anyone else, you should Lock the meeting so that nobody else can join.

To do this, click on the 'Manage Participants' button on the Zoom toolbar and select 'More' at the bottom of the Participants pane. Then select the 'Lock Meeting' option as shown below.


Do not post pictures of your Zoom meetings

If you take a picture of your Zoom meeting than anyone who sees this picture will be able to see its associated meeting ID. This can then be used uninvited people to try and access the meeting.

For example, the UK Prime Minister Boris Johnson tweeted a picture today of the "first even digital Cabinet" and included in the picture was the meet ID.



This could have been used by attackers to try and gain unauthorized access to the meeting by manually joining via the displayed ID.
Manually join a meeting by ID

Thankfully, the virtual cabinet meeting was password-protected but does illustrate why all meetings need to use a password or at least a waiting room.
Do not post public links to your meetings

When creating Zoom meetings, you should never publicly post a link to your meeting.

Doing so will cause search engines such as Google to index the links and make them accessible to anyone who searches for them.

As the default setting in Zoom is to embed passwords in the invite links, once a person has your Zoom link they can Zoom-bomb your meeting.
Be on the lookout for Zoom-themed malware

Since the Coronavirus outbreak, there has been a rapid increase in the number of threat actors creating malware, phishing scams, and other attacks related to the pandemic.

This includes malware and adware installers being created that pretend to be Zoom client installers.
Malicious Zoom installer

To be safe, only download the Zoom client directly from the legitimate Zoom.us site and not from anywhere else.