Table of Contents

  1. Ransomware
    1. Trend Micro Set Up a Fake Tech Company and Honeypot To Study Cyber Criminals
    2. Ako Ransomware targeting businesses using RaaS
  2. Malware
    1. New wave of Mal-Spam campaign attaching Disk Imaging Files
    2. TrickBot Now Steals Windows Active Directory Credentials
    3. U.S. Gov Agency Targeted With Malware-Laced Emails
  3. Vulnerabilities
    1. MDhex Vulnerabilities Impact GE Patient Vital Signs Monitoring Devices
    2. Cisco fixes critical issue in Cisco Firepower Management Center
    3. Mitigating Cloud Vulnerabilities (by National Security Agency)
  4. Crime
    1. Russian operator of Cardplanet carding site pleads guilty in the US
    2. Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector
  5. Leaks
    1. Identity and Access Misstep: How an Amazon Engineer Exposed Credentials and More
    2. POS Vendor for Cannabis Dispensaries Exposed Data
  6. Password managers
    1. LastPass Mistakenly Removes Extension from Chrome Store, Causes Outage
  7. Privacy
    1. Microsoft Looms Over the Privacy Debate in Its Home State
    2. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance
    3. Inside hundreds of surveillance experiments along the US-MX border
  8. OSINT
    1. Geolocating Oil spills in South Sudan

Ransomware

Trend Micro Set Up a Fake Tech Company and Honeypot To Study Cyber Criminals

Trend Micro has done some very cool research by creating a fake factory company, populating it with vulnerable software, and monitoring the activities that happen when you leave such critical systems open on the internet. Read the full report here.

Ako Ransomware targeting businesses using RaaS

Quick Heal security researchers recently observed ransomware that uses RaaS (Ransomware as a Service) which is a subpart of MaaS (Malware as a Service). Ko ransomware targets businesses and spreads across networks. It uses emails as a propagation mechanism. The email contains an attachment which is a password-protected zip file named as 'agreement.zip'. Upon the extraction of this zip file, the following 'agreement.scr' is dropped which is an executable file responsible for ransomware activity.

Malware

New wave of Mal-Spam campaign attaching Disk Imaging Files

From the past few months Quick-Heal Labs has been observing a sudden rise in Spear Phishing mail containing distinct file formats as attachment like IMG, ISO, etc. These new types of attachments are mainly used to deploy some well-known and older Remote Access Trojans. The subject of these emails are made to appear as genuine as possible in the form of 'Case file against your company' or 'AWB DHL SHIPMENT NOTICE AGAIN' etc. The attached files contain compressed malware (RAT's) which have many different names like 'Court Order.img', 'Product Order.img', etc. The below image displays one such spear phishing mail. With invent of new features in Windows, threat actors also keep finding ways to abuse those features. Here we have seen this in how disk imaging formats are being used to deploy RAT's. In the future, these formats may also be used to deploy other kinds of malware, as threat actors are adept at abusing the features present in Windows itself.

TrickBot Now Steals Windows Active Directory Credentials

A new module for the TrickBot Trojan has been discovered that targets the Active Directory database stored on compromised Windows domain controllers. TrickBot is typically downloaded and installed on a computer through other malware. This most common malware that installs TrickBot is Emotet, which is distributed through spam with malicious Word document attachments. Once TrickBot is installed, it will harvest various information from a compromised computer and will then attempt to spread laterally throughout a network to gather more data. To perform this behavior, TrickBot will download various modules that perform specific behavior such as stealing cookies, browser information, OpenSSH keys, and spreading to other computers. As part of the malware's continued evolution, a new TrickBot module called 'ADll' was discovered by security researcher Sandor Nemes that executes a variety of Windows commands that allows the Trojan to steal a Windows Active Directory database.

U.S. Gov Agency Targeted With Malware-Laced Emails

The malicious email campaign included a never-before-seen malware Downloader called Carrotball, and may be linked to the Konni Group APT. A U.S. government agency was targeted with spear phishing emails harboring several malware strains -- including a never-before-seen malware Downloader that researchers call "Carrotball." The campaign which researchers observed occurring from July to October and code-named "Fractured Statue," involved six unique malicious document lures being sent as attachments from four different Russian email addresses to 10 unique targets. The subject of the lures featured articles written in Russian pertaining to ongoing geopolitical relations issues surrounding North Korea. "Overall, the Fractured Statue campaign provides clear evidence that the TTPs [tactics, techniques and procedures] discovered in Fractured Block are still relevant, and that the group behind the attacks still appears to be active," said Adrian McCabe with Palo Alto Networks' Unit 42 research group, in a Thursday analysis.

Vulnerabilities

MDhex Vulnerabilities Impact GE Patient Vital Signs Monitoring Devices

Critical vulnerabilities have been discovered in popular medical devices from GE Healthcare that could allow attackers to alter the way they function or render them unusable. A set of six security flaws, they have been collectively named MDhex. Five of them received the highest severity rating on the Common Vulnerability Scoring System, 10 out of 10.

Cisco fixes critical issue in Cisco Firepower Management Center

Cisco fixed a critical vulnerability in the Cisco Firepower Management Center that could allow a remote attacker to gain administrative access to the web-based management interface of the vulnerable devices and execute arbitrary actions. The vulnerability tracked as CVE-2019-16028 received a CVSS score of 9.8. "A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device." ...reads the security advisory published by Cisco.

Mitigating Cloud Vulnerabilities (by National Security Agency)

The NSA has published a document guiding companies how to deal with cloud vulnerabilities and share responsibilities between the cloud provider and the customer.

Crime

Russian operator of Cardplanet carding site pleads guilty in the US

Last year, the Russian man Aleksei Burkov (29) was accused of running an online criminal marketplace, called Cardplanet, that helped crooks to organize more than $20 million in credit card fraud. In November, the suspect has been extradited to the US to face criminal charges. Burkov was also operating another invite-only cybercrime forum, to obtain membership prospective members needed three existing members to "vouch" for their good reputation in the cybercrime community. The membership also requested a sum of money, normally $5,000, as insurance. Cardplanet was offering for sale stolen credit-card numbers for a price ranging from $3 to $60.

Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector

Security experts from Recorded Future reported that a backdoor previously used in attacks carried out by an Iran-linked threat actor was used to target a key organization in the European energy sector. The malware is the PupyRAT backdoor, which is a "multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python" that can give the attackers full access to the victim's system.

Leaks

Identity and Access Misstep: How an Amazon Engineer Exposed Credentials and More

UpGuard has disclosed that a repository hosted on GitHub with data from an Amazon Web Services engineer containing personal identity documents and system credentials including passwords, AWS key pairs, and private keys has been secured from public access. The data was committed to a public repository the morning of 13 January, 2020. It was detected within half an hour by UpGuard analysts, reported to AWS Security, and secured that same day.

POS Vendor for Cannabis Dispensaries Exposed Data

A security firm vpnMentor says its research team recently discovered that Seattle, Washington-based THSuite left their database exposed. "Our team identified an unsecured Amazon S3 bucket owned by THSuite that exposed sensitive data from multiple marijuana dispensaries around the U.S. and their customers," the research report states. The leaked data included more than 85,000 files, including scanned government and employee IDs, exposing personally identifiable information for over 30,000 individuals, the report says. Researchers discovered the unsecured data bucket Dec. 24, 2019, and contacted THSuite on Dec. 26. Amazon AWS was contacted on Jan. 7, and the database was closed on Jan. 14, vpnMentor reports. It's not clear whether the data in the exposed database was inappropriately viewed or used.

Password managers

LastPass Mistakenly Removes Extension from Chrome Store, Causes Outage

An accidental outage was caused by LastPass yesterday by mistakenly removing the LastPass extension from the Chrome Web Store, leading to users seeing 404 errors when trying to download and install it on their devices. "The LastPass extension in the Chrome Web Store was accidentally removed by us, and we are working with the Google team to restore it ASAP," LastPass Support today said in an update on Twitter. "You can still access your Vault by signing in on our website."

Privacy

Microsoft Looms Over the Privacy Debate in Its Home State

The company's senior director of public policy, spoke in support of a proposed law that would regulate government use of facial recognition. The occasion was a legislative hearing on Nguyen's proposal and a second, broader privacy bill, also supported by both Nguyen and Microsoft, that restricts some private uses of facial recognition. The Washington bills, which have bipartisan support, would introduce restrictions on facial recognition, which is unregulated in most places today. Together their facial recognition provisions mostly match suggestions published by Microsoft in 2018, when the company president Brad Smith called for regulating the technology.

Bipartisan Coalition Bill Introduced to Reform NSA Surveillance

A bipartisan coalition of U.S. lawmakers introduced a new bill that wants to protect Americans from warrant less government surveillance such as the one run by the National Security Agency (NSA). The Safeguarding Americans' Private Records Act was introduced today by Senators Wyden and Daines in the upper chamber, the Senate, while Representatives Lofgren, Davidson and Jayapal introduced it in the lower chamber, the US House of Representatives. This bill arrives before the March 15 expiration of Section 215 of the PATRIOT Act, used by the National Security Agency "to create a secret mass surveillance program that swept up millions of Americans' phone calls."

Inside hundreds of surveillance experiments along the US-MX border

Dozens of defense contractors are testing out new surveillance technologies along the US-Mexico border. By examining thousands of broadcast licenses filed with the Federal Communications Commission (FCC), the scale of this activity comes into view. This repository provides a guide for exploration. You can examine the FCC License data yourself, track radio license activity on a map, or dive into the specific defense companies that are prototyping new ground radar systems for detecting bodies and drones.

OSINT

Geolocating Oil spills in South Sudan

Bellingcat has done again an amazing job using OSINT to geolocate the oil spills in concession areas in the South Sudan that became epicenters of conflict and massive human rights abuses.