Table of Contents

  1. Malware
    1. Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims
    2. Financial Firms Targeted With New Type of Backdoor: Report
    3. Phishing Attack Disables Google Play Protect, Drops Anubis Trojan
    4. Metamorfo Returns with Keylogger Trick to Target Financial Firms
  2. Ransomware
    1. TA505 Hackers Behind Maastricht University Ransomware Attack
  3. Vulnerabilities
    1. Misconfigured Docker Registries Expose Orgs to Critical Risks
    2. cdpwn – Millions of devices at risk due to flaws in implementations of Cisco Discovery Protocol (CDP)
  4. Scams
    1. Anatomy of a Rental Phishing Scam
  5. Google
    1. Google Chrome To Ban HTTP File Downloads
  6. Digital rights
    1. Internet shutdown in Iran following reported cyber-attack
  7. Privacy
    1. Facial recognition fails in China as people wear masks to avoid coronavirus
  8. Leaks
    1. Japanese Defense Contractors Kobe Steel, Pasco Disclose Breaches
  9. Facebook
    1. Facebook’s official Twitter and Instagram accounts hacked by OurMine


Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims

A recently spotted Emotet Trojan sample features a Wi-Fi worm module that allows the malware to spread to new victims connected to nearby insecure wireless networks according to researchers at Binary Defense. This newly discovered Emotet strain starts the spreading process by using wlanAPI.dll calls to discover wireless networks around an already infected Wi-Fi enabled computer and attempting to brute-force its way in if they are password protected. Once it successfully connects the compromised device to another wireless network, the worm will start finding other Windows devices with non-hidden shares. This Emotet worm module not being discovered during the last two years despite researchers dissecting new strains on a daily basis might also be explained by the module not displaying spreading behavior on VMs/automated sandboxes without a Wi-Fi card. "Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords," Binary Defense concludes.

Financial Firms Targeted With New Type of Backdoor: Report

FireEye researchers are tracking a hacker campaign using a new type of backdoor they call "Minebridge" that has primarily been targeting U.S. financial firms this year. If the target of these emails opens the malicious file, macros then begin to install the Minebridge backdoor, according to the report. In one example, victims received phishing messages from a domain called "," which appeared to be a recruiting firm, the report finds. And while most of the targets of the Minebridge campaign are U.S.-based financial firms, some phishing emails have also been sent to South Korean organizations, including a marketing agency, the report finds. So far, researchers identified three phishing campaigns that have attempted to plant the Minebridge backdoor in corporate networks. If that feature was enabled, then the macros could install the backdoor, according to the report. On Jan. 28, a third phishing campaign again targeted U.S. financial firms with messages that appeared to come from someone with financial experience looking for a job, according to the report.

Phishing Attack Disables Google Play Protect, Drops Anubis Trojan

Android users are targeted in a phishing campaign that will infect their devices with the Anubis banking Trojan that can steal financial information from more than 250 banking and shopping applications. The campaign uses a devious method to get the potential victims to install the malware on their devices: it asks them to enable Google Play Protect while actually disabling it after being granted permissions on the device. To deliver the malware, the attackers use a malicious link embedded within the phishing email that will download an APK file camouflaged as an invoice as Cofense found. After being asked if he wants to use Google Play Protect and installing the downloaded APK, the victim's device will be infected with the Anubis Trojan. Cofense discovered that, once the Android smartphone or tablet is compromised, Anubis will start harvesting "a list of installed applications to compare the results against a list of targeted applications. The malware mainly targets banking and financial applications, but also looks for popular shopping apps such as eBay or Amazon. Once an application has been identified, Anubis overlays the original application with a fake login page to capture the user's credentials." However, this keylogging module has to be specifically enabled by the attackers via a command sent through Anubis' command and control (C2) server. Anubis Trojan samples with ransomware capabilities are not new, as Sophos previously discovered Anubis-infected apps in the Play Store in August 2018 that also added the .AnubisCrypt file extension to the encrypted files.

Metamorfo Returns with Keylogger Trick to Target Financial Firms

The malware uses a tactic to force victims to retype passwords into their systems - which it tracks via a keylogger. Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Metamorfo was first discovered in April 2018, in various campaigns that share key commonalities (like the use of "spray and pray" spam tactics). This newest variant, which targets payment-card data and credentials at financial institutions with Windows platforms, packs a new trick up its sleeve. Once executed, the malware kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords - which it then tracks via a keylogger. The command line finally loads a DLL file code with the payload. Researchers said these dual functionalities enable the malware to track victims' passwords as they manually write them out - enabling the malware operators to keep tabs on passwords even if they're changed. "Sometimes financial websites use 2FA to protect their customers like sending a security code via SMS/email to the customer, then verifying the customer's input on the website," he said.


TA505 Hackers Behind Maastricht University Ransomware Attack

Maastricht University (UM) disclosed that it paid the 30 bitcoin ransom requested by the attackers who encrypted some of its critical systems following a cyberattack that took place on December 23, 2019. That infrastructure consists of 1,647 Linux and Windows servers and 7,307 workstations," the university explains in a management summary of the Fox-IT incident report and UM's response. "The attack ultimately focused on 267 servers of the Windows domain. The attacker focused on encrypting data files in the Windows domain. UM says that all critical systems now have online and offline backups to avoid facing a future total failure scenario in the event of another ransomware attack. TA505 (also tracked SectorJ04) is a financially motivated hacker group known for mainly targeting retail companies and financial institutions since at least Q3 2014. According to Fox-IT, the hackers were able to infiltrate the university's systems via two phishing e-mails that were opened on two UM systems on October 15 and 16. Until November 21 when they gained admin rights on an unpatched machine, the attackers moved through UM's network compromising servers left and right until it finally deployed the Clop ransomware payload on 267 Windows systems. While UM added that the forensic research "indicates how cybercriminals have taken some of UM's data hostage," research and personal data was not exfiltrated. However, the university will continue investigating if this conclusion is 100% accurate via "follow-up research into possible extraction" of important data files representative of education, research, and business operations as Fox-IT recommends.


Misconfigured Docker Registries Expose Orgs to Critical Risks

Some organizations have improperly configured Docker registries exposed to the public web, leaving a door open for attackers to infiltrate and compromise operations. Entities running this risk include research institutes, retailers, news media organizations, and technology companies, security researchers found after checking Docker servers on the internet. In a Docker environment, applications are packed in virtualized images that include all the code and dependencies the programs need to run independently of the underlying operating system. Users access these containers from repositories available in a Docker server called registry and create multiple versions of them, differentiated by tags. They can download and run images locally, upload custom versions, or delete them - push, pull, delete - these being the main operations supported by a Docker registry. Searching for Docker registries accessible over the public web, security researchers at Palo Alto Networks found that 117 lacked authentication controls that would prevent unauthorized access. "Although setting up a Docker registry server is straightforward, securing the communication and enforcing the access control requires extra configurations. Of the 117 unprotected servers, 80 allowed downloading an image, 92, permitted unauthorized upload, and seven allowed anyone to delete images. In total, these unsecured Docker registries hosted 2,956 repositories and 15,887 tags. They belonged to entities in a variety of domains, from research and retail to news and media organizations and businesses in the technology sector.

cdpwn – Millions of devices at risk due to flaws in implementations of Cisco Discovery Protocol (CDP)

A set of vulnerabilities in the Cisco Discovery Protocol (CDP) exposes tens of millions of devices to the risk of cyber attacks. Researchers at IoT security firm Armis discovered a set of five serious vulnerabilities in the implementation of the Cisco Discovery Protocol (CDP) protocol. The experts tracked the set as CDPwn and warned that the issues could be exploited by attackers to take complete control of vulnerable devices. " Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment." reads the advisory published by Armis. "CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras.


Anatomy of a Rental Phishing Scam

Jeffrey Ladish became recently a target of an unsuccessful phishing scam, and she wrote a blog post about it. It's interesting to see the psychological tricks the scammers have used to make the scam look very convincing.


Google Chrome To Ban HTTP File Downloads

Downloads of files like images may be banned if they use HTTP connections - even if they are available from an HTTPS website. Google Chrome will soon restrict certain files, like PDFs or executables, from being downloaded via an HTTP connection - even if they are loaded on HTTPS web pages. When connecting to an HTTP website, browsers merely look up the IP address and send data over to it in clear text. With Chrome 68's 2018 release, Google started to label HTTP websites with an "insecure" warning label in the navigation bar. Similarly, HTTPS websites can still serve up images, scripts or other file types that are downloaded using the less-secure HTTP connection. "Insecurely downloaded files are a risk to users' security and privacy," said Joe DeBlasio, with the Chrome Security Team, in a Thursday post. To address these risks, we plan to eventually remove support for insecure downloads in Chrome. "Google, which first dropped proposals around this idea last April, has outlined a roadmap to eventually ban the files downloads in question over the next seven months. Starting with Chrome 82, Google Chrome will first merely warn users if they are downloading executables using an HTTP connection - then, with Chrome 83 (June 2020) the browser will begin to block them. It will do the same with other mixed content downloads until blocking everything in Chrome 86, set to be released September 2020. "File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types," according to DeBlasio.

Digital rights

Internet shutdown in Iran following reported cyber-attack

Network data from the NetBlocks internet observatory confirm extensive disruptions to telecommunication networks in Iran on the morning of Saturday, 8 February for a period of over two hours. Authorities have issued a preliminary statement that the internet shutdown is being implemented to repel a cyber-attack on the country's infrastructure.


Facial recognition fails in China as people wear masks to avoid coronavirus

For hundreds of millions of people in China, the spread of the new coronavirus has caused abrupt changes to the smallest of habits - even a gesture that most in the country are used to by now: Looking into the camera for facial recognition. Residents donning surgical face masks while venturing outside their homes or meeting strangers have found themselves in an unfamiliar conundrum. In China, facial recognition is being deployed from train stations and airports to stores and hotels. "I was standing under the facial recognition [camera] but it didn't recognize me," one user said. "Around two minutes later, I realized I was wearing a mask."


Japanese Defense Contractors Kobe Steel, Pasco Disclose Breaches

Japanese defense contractors Pasco Corporation (Pasco) and Kobe Steel (Kobelco) disclosed security breaches that happened in May 2018 and in June 2015/August 2016, respectively. No damage such as information leakage has been discovered so far during the following investigations per the official statement. It is also possible that the threat actors behind the attacks might have targeted the companies' defense information, but the data that might have been leaked did not include defense secrets. Kobe Steel is a known supplier of submarine parts for the Japan Self-Defense Forces (SDF), while Pasco is a provider of satellite data. The two companies are the last of the four defense-related firms that were hacked between 2016 and 2019, as Japanese Defense Minister Taro Kono said during a press conference on January 31. The other two defense contractors that were infiltrated by attackers are Mitsubishi Electric and NEC. Mitsubishi Electric disclosed that the security breach might have caused the leak of personal and confidential corporate info, with about 200 MB worth of documents being exposed during the attack that took place on June 28, 2019. The eight months delay disclosing the incident was attributed by Mitsubishi Electric to the complexity of the investigation caused by the activity logs being deleted after the attack. "According to people involved, Chinese hackers Tick may have been involved," Nikkei reported after Mitsubishi Electric disclosed the breach. The group is known for primarily targeting Japanese organizations from several sectors including but not limited to manufacturing, critical infrastructure, international relations, and heavy industry.


Facebook’s official Twitter and Instagram accounts hacked by OurMine

The popular hacking group OurMine hacked the Twitter and Instagram accounts for Facebook and Messenger. The notorious Saudi Arabian OurMine hacking group has hacked accounts and systems of prominent experts and organizations across the years, including Facebook CEO Mark Zuckerberg's Pinterest, Twitter, LinkedIn accounts. OurMine also hacked social media accounts of HBO and Game of Thrones, the Netflix US Twitter account (@Netflix) to promote its website and hacking services, and several high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta - Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others. Yesterday the group hacked the accounts of the social network giant and posted the following statement: "Hi, we are OurMine. Well, even Facebook is hackable but at least their security is better than Twitter." OurMine also hacked Facebook and Messenger accounts on Instagram and posted a photo of the group's logo. Facebook also confirmed the hack of its official social media accounts. "Some of our corporate social accounts were briefly hacked, but we have secured and restored access," Facebook spokesman Joe Osborne said.