Table of Contents

  1. Ransomware
    1. Mailto Ransomware under the skin of explorer.exe
    2. New PwndLocker Ransomware Targeting U.S. Cities, Enterprises
    3. The Dever Ransomware Experience
  2. Crime
    1. US Charges Two With Laundering $100M for North Korean Hackers
    2. Swiss government files criminal complaint over Crypto AG scandal involving CIA
    3. French Firms Rocked by Kasbah Hacker
  3. Vulnerabilities
    1. Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now
  4. Digital rights
    1. Wikipedia Farsi blocked in Iran as coronavirus fears spread
  5. Privacy
    1. Hundreds of New Yorkers Demand a Ban on NYPD Face Surveillance
    2. Schools Are Spying on Students – But Students Can Fight Back
  6. Misc
    1. Project Svalbard, Have I Been Pwned and its Ongoing Independence

Ransomware

Mailto Ransomware under the skin of explorer.exe

Mailto ransomware started using an interesting technique to avoid detection, it is now injecting itself into the `explorer.exe` process and attaches itself as a debugger to this process, performing the encryption while being in debug mode.

New PwndLocker Ransomware Targeting U.S. Cities, Enterprises

Driven by the temptation of big ransom payments, a new ransomware called PwndLocker has started targeting the networks of businesses and local governments with ransom demands over $650,000. This new ransomware began operating in late 2019 and has since encrypted a stream of victims ranging from local cities to organizations. BleepingComputer has been told that the ransom amounts being demanded by PwndLocker range from $175,000 to over $660,000 depending on the size of the network. PwndLocker has also encrypted the network for the City of Novi Sad in Serbia. The PwndLocker Payment Site allows victims to decrypt two files for free, talk to the ransomware operators and contains the ransom amount in bitcoins.

The Dever Ransomware Experience

A security researcher wrote a blog post detailing how the Dever ransomware has spread to his friend's network and encrypted files on his network SMB shares.

Crime

US Charges Two With Laundering $100M for North Korean Hackers

Two Chinese nationals were charged by the US Dept of Justice and sanctioned by the US Treasury for allegedly laundering over $100 million worth of cryptocurrency out of the nearly $250 million stolen by North Korean actors known as Lazarus Group after hacking a cryptocurrency exchange in 2018. The North Korean hackers are also tied to the theft of another roughly $48.5 million worth of cryptocurrency from a South Korea-based exchange in November 2019. Creating illegitimate websites and malicious software to conduct phishing attacks against the virtual currency sector is a pattern previously seen from North Korean cybercriminals. The defendants then transferred these funds among virtual currency addresses they controlled to obfuscate their origin.

Swiss government files criminal complaint over Crypto AG scandal involving CIA

Switzerland's Federal Department of Finance has filed a criminal complaint "against persons unknown" over media reports that a leading Swiss-based cryptological equipment manufacturer was secretly owned by the United States Central Intelligence Agency (CIA). The complaint relates to Crypto AG, the world's leading manufacturer of cryptologic equipment during the Cold War, whose clients included over 120 governments around the world. Last month, The Washington Post and the German public broadcaster ZDF appeared to confirm reports that had been circulating since the early 1980s, that Crypto AG was a front for American intelligence. According to the revelations, the CIA and West Germany's Federal Intelligence Service (BND) secretly purchased the Swiss company in the 1950s and paid off most of its senior executives in order to buy their silence. For this reason, the Swiss Federal Department of Finance has filed a criminal complaint about the case.

French Firms Rocked by Kasbah Hacker

A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products. In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East. Further investigation revealed the electricity provider was just one of many French critical infrastructure firms that had systems beaconing home to the malware network's control center. Other victims included one of France's largest hospital systems; a French automobile manufacturer; a major French bank; companies that work with or manage networks for French postal and transportation systems; a domestic firm that operates a number of airports in France; a state-owned railway company; and multiple nuclear research facilities.

Vulnerabilities

Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now

Ongoing scans on port 8009 for Apache Tomcat servers unpatched against the Ghostcat vulnerability that allows potential attackers to take over servers have been detected over the weekend. As cyber threat intelligence firm Bad Packets said on Saturday, "mass scanning activity targeting this vulnerability has already begun. Ghostcat is a high-risk file read/include vulnerability tracked as CVE-2020-1938 and present in the Apache JServ Protocol (AJP) of Apache Tomcat between versions 6.x and 9.x. All unpatched Apache Tomcat 6, 7, 8, and 9 installations ship with AJP Connector enabled by default and listening on all configured server IP addresses on port 8009.

Digital rights

Wikipedia Farsi blocked in Iran as coronavirus fears spread

Network data from the NetBlocks internet observatory confirm that Iran has blocked access to the Farsi (Persian) language edition of the Wikipedia online encylopedia as of Monday, 2 March 2020. Network data confirm that the blocks are technically consistent with known techniques used to restrict online platforms in Iran, with SNI filtering and DNS poisoning in place to prevent the website from loading. Records confirm that Wikipedia Farsi was fully available prior to Monday. The blocking measure is applied only to the desktop version of Wikipedia Farsi located at https://fa.wikipedia.org. The apparent oversight means it is still possible to gain access via the mobile version of the website located at https://fa.m.wikipedia.org. Network data show a distinct fall in connectivity with several of Iran's leading network operators from approximately 0:30 a.m. UTC affecting cellular and fixed-line operators. National connectivity fell to a low point of 50% of ordinary levels for a period during the morning. The disruption comes as Iran struggles to tackle the domestic coronavirus outbreak, facing an upswell in online criticism as well as disinformation about the health crisis online.

Privacy

Hundreds of New Yorkers Demand a Ban on NYPD Face Surveillance

Over two hundred New York City residents---including workers, parents, students, business owners, and technologists --- have signed a petition calling to end government use of face surveillance in New York City. EFF and a coalition of over a dozen civil liberties groups delivered that petition to New York's City Council. In the letter accompanying the petition, the groups commend the City Council members (more than thirty of them) that have signed on as cosponsors of the long overdue, and much needed, POST Act. The push continues to convince City Council Speaker Corey Johnson to allow the POST Act to be presented for a vote, and the groups insist on prompt action against the persistent threat that government use of face surveillance presents to New Yorker's privacy and safety.

Schools Are Spying on Students – But Students Can Fight Back

Schools across the country are increasingly using technology to spy on students at home, at school, and on social media. The Electronic Frontier Foundation (EFF) launched a new Surveillance Self-Defense guide for students and their parents, so they can learn more about how schools are watching them, and how they can fight back. "Some administrators argue that they need to use this technology to keep schools safe, yet there is little evidence that it works," said EFF Activism Project Manager Lindsay Oliver. For example, some schools are tracking students' locations, ostensibly to automate attendance or track school bus ridership. This monitoring can be conducted through tools ranging from students' cell phones to ID cards with tracking chips, and it can easily continue when you are off campus. In some cases, student data is reported to school resource officers or the police, and it can be kept over time, creating a granular history of a student's actions. Often, the best solution is to simply not use the systems that schools have set up, if you're able to, and encourage your friends to do the same. But the new guide also shows students how to gather information on what's happening and how to talk to adults about it.

Misc

Project Svalbard, Have I Been Pwned and its Ongoing Independence

Troy Hunt has decided not to sell Have I Been Pwned and stay independent after months of discussing with many companies that wanted to buy the service. He explains the decision and why he thinks HIBP will be better for everyone if it stays independent.