Table of Contents

  1. Ransomware
    1. Ryuk Ransomware Behind Epiq Global and Durham, North Carolina cyberattacks
    2. Microsoft Shares Tactics Used in Human-Operated Ransomware Attacks
  2. Crime
    1. Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy
    2. Microsoft Takes Control of Necurs U.S.-Based Infrastructure
  3. Politics
    1. Chinese Security Firm Says CIA Hackers Attacked China Since 2008
    2. Most of the attacks on Telecom Sector in 2019 were carried out by China-linked hackers
  4. Vulnerabilities
    1. NSA Warns About Microsoft Exchange Flaw as Attacks Start
    2. Intel CPUs Vulnerable To New LVI Attacks
    3. Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw
    4. Avast disables JavaScript engine in its antivirus following major bug
    5. Cryptographic Signatures, Surprising Pitfalls, and LetsEncrypt
    6. New AMD side channel attacks discovered, impacts Zen architecture
    7. Researcher wins $55,000 for ‘Login with Facebook’ hack
    8. Security advisory: Insufficient data validation in yubikey-val
    9. Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains
  5. Malware
    1. Malware Analysis and Reverse Engineering Course
    2. New TrickBot Variant Updates Anti-Analysis Tricks
    3. Mokes and Buerak distributed under the guise of security certificates
    4. Who's hacking the hackers: no honor among thieves
  6. Phishing
    1. Nasty Phishing Scam Pretends to Be Your HIV Test Results
  7. Privacy
    1. Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich
  8. Leaks
    1. Virgin Media Data Breach Exposes Info of 900,000 Customers
    2. T-Mobile Data Breach Exposes Customer's Personal, Financial Info
    3. AnimeGame - 1,431,378 breached accounts
    4. Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
    5. J.Crew Disables User Accounts After Credential Stuffing Attack


Ryuk Ransomware Behind Epiq Global and Durham, North Carolina cyberattacks

The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware. Local media reports that the city fell victim to a phishing attack that ultimately led to the deployment of the Ryuk Ransomware on their systems. To prevent the attack from spreading throughout their network, the City of Durham has temporarily disabled all access into the DCI Network for the Durham Police Department, the Durham Sheriff's Office and their communications center. This has caused the city's 911 call center to shut down and for the Durham Fire Department to lose phone service. Actors were probably present on the network for weeks. The Ryuk Ransomware attacks are usually the result of a network becoming infected with the TrickBot Trojan first, which is usually installed through malicious attachments in phishing emails. Legal services and e-discovery giant Epiq Global took their systems offline on Saturday after the Ryuk Ransomware was deployed and began encrypting devices on their network. On March 2nd, legal reporter Bob Ambrogi broke the news that Epiq had globally taken their systems offline after detecting a cyberattack. Fortinet analyzed the Tactics, Techniques, and Procedures (TTPs) used by this recently discovered Ryuk variant.

Microsoft Shares Tactics Used in Human-Operated Ransomware Attacks

Microsoft shared tips on how to defend against human-operated ransomware attacks known to be behind hundreds of millions of dollars in losses following campaigns targeting enterprises and government entities. Ransomware families such as Sodinokibi (REvil), Samas, Bitpaymer, DoppelPaymer, Dharma, and Ryuk are deployed by human operators, which makes these attacks a lot more dangerous than auto- spreading ransomware like NotPetya, WannaCry, or those installed via malware and phishing attacks. They take advantage of similar security weaknesses, highlighting a few key lessons in security, notably that these attacks are often preventable and detectable.


Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy

For the first quarter of 2020, coverage on the Coronavirus/COVID-19 outbreak has dominated the 24-hour global news cycle. Government leaders, scientists, and health professionals worldwide suggest that this is not merely an epidemic, but a potential pandemic crisis. And the easiest and fastest way to exploit a target, whether an individual or an organization, is through social engineering attacks. These attack vectors are the fastest to spin up, and have the highest rate of return. This is especially true as drive-by downloads become less common due to security vendors improving response times and security posture by the timely patching of vulnerabilities. Coronavirus-related Threat Activity Over the past several weeks, FortiGuard Labs has been observing a significant increase in both legitimate and malicious activity surrounding the Coronavirus. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in an environment protected by Ironport that aims to strike alarm and manipulate end users into clicking on a Microsoft-branded credential phish that preys on concerns surrounding the coronavirus. A new spam campaign is underway that is preying on the fears of Coronavirus (COVID-19) to target people in Italy with the TrickBot information-stealing malware. When sending malicious spam, malware distributors commonly use current events, fears, and politics as themes for the emails to get recipients to open the attached malicious documents. According to new research by Sophos, attached to these emails is a malicious Word document that when opened states that you need to click on the 'Enable Content' button to properly view it.

Microsoft Takes Control of Necurs U.S.-Based Infrastructure

Microsoft announced a coordinated takedown of Necurs, one of the largest spam and malware botnets known to date, believed to have infected more than nine million computers worldwide. The takedown effort came after Microsoft and industry partners broke the Necurs DGA -the botnet's domain generation algorithm, the component that generates random domain names. Necurs authors register DHA-generated domains weeks or months in advance and host the botnet's command-and-control (C&C) servers, where bots (infected computers) connect to receive new commands. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months," said Tom Burt, Microsoft Vice President for Customer Security & Trust. Breaking the DGA allowed Microsoft and its industry partners to create a comprehensive list of future Necurs C&C server domains that they can now block and prevent the Necurs team from registering.


Chinese Security Firm Says CIA Hackers Attacked China Since 2008

Chinese security vendor Qihoo 360 says that the US Central Intelligence Agency (CIA) has hacked Chinese organizations for the last 11 years, targeting various industry sectors and government agencies. Qihoo 360 claims in the report that lacks any technical details that the CIA hacking group (APT-C-39) has targeted a multitude of Chinese companies between September 2008 and June 2019, with a focus on aviation organizations, scientific research institutions, petroleum industry, Internet companies, and government agencies. Additionally, the Chinese security outfit claims that the APT-C-39 hacking campaigns also used tools connected with the US National Security Agency.

Most of the attacks on Telecom Sector in 2019 were carried out by China-linked hackers

China-linked cyber espionage groups increasingly targeted organizations in the telecommunications industry in 2019. According to the CrowdStrike 2020 Global Threat Report, the telecommunications and government sectors were the most targeted by the threat actors. Most of the attacks against organizations in the telecom sector were attributed to China-linked hacker groups, such as Wicked Panda (aka APT41), Emissary Panda (aka APT27, Bronze Union, Lucky Mouse, and TG-3390), and Lotus Panda (aka Thrip). Chinese hackers also targeted several organizations in the healthcare sector, government and defense sectors of countries in Asia. The experts also observed some attacks that were likely conducted by China-linked APT groups, but that was not possible to link to specific groups. Analysis in 2019 revealed a focus by Chinese adversaries on the telecommunications sector, which could support both signals intelligence and further upstream targeting. Content related to defense, military and government organizations remains a popular lure for targeted intrusion campaigns, reads the report published by CrowdStrike. Telecommunications organizations are a privileged target of China- linked hackers that focus on cyber espionage campaigns and aims at launching attacks against other organizations.


NSA Warns About Microsoft Exchange Flaw as Attacks Start

The U.S. National Security Agency warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account. NSA's tweet reminded followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials. State-backed hackers already attacking Microsoft Exchange servers. The same day, researchers at security firm Volexity confirmed that exploitation of this security flaw has begun in late February, with several organizations already having had their networks compromised after state-backed advanced persistent threats (APT) groups exploited the CVE-2020-0688 flaw.

Intel CPUs Vulnerable To New LVI Attacks

A team of academics from universities across the world, along with vulnerability researchers from Bitdefender, disclosed a new security flaw in Intel processors. Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel CPUs. While the attack has been deemed only a theoretical threat, Intel has released firmware patches to mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level in future generations.

Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw

Microsoft leaked info on a security update for a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month's Patch Tuesday. Devices running Windows 10 are impacted by this vulnerability, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012. An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to, Cisco Talos explained in their Microsoft Patch Tuesday report --- this was later removed by the Talos security experts. Fortinet says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems. Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.

Avast disables JavaScript engine in its antivirus following major bug

Czech antivirus maker Avast has taken the extreme step of disabling a major component of its antivirus product after a security researcher found a dangerous vulnerability that put all of the company's users at risk. The security flaw was found in Avast's JavaScript engine, an internal component of the Avast antivirus that analyzes JavaScript code for malware before allowing it to execute in browsers or email clients. Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage, said Tavis Ormandy, a security researcher at Google. Any vulnerabilities in this process are critical, and easily accessible to remote attackers, Ormandy said on Monday when he also released a tool that he used to analyze the company's antivirus.

Cryptographic Signatures, Surprising Pitfalls, and LetsEncrypt

On August 11th, 2015, Andrew Ayer reviewed draft-barnes-acme-04 and found vulnerabilities in the DNS, DVSNI, and Simple HTTP challenges that would allow an attacker to fraudulently complete these challenges using Lets Encrypt. The draft-barnes-acme-04 is a document specifying ACME, one of the protocols behind the Let's Encrypt Certificate Authority. The thing that your browser trust and that signs the public keys of websites you visit. The attack was found merely 6 weeks before major browsers were supposed to ship with Let's Encrypt's public keys in their trust store. The draft has since become RFC 8555: Automatic Certificate Management Environment (ACME), mitigating the issues. Since then no cryptographic attacks are known on the protocol. But how did we get there? What's the deal with signature schemes these days? and are all of our protocols doomed? This is what this blog post will answer. Let's Encrypt planned to revoke more than 3 million TLS certificates on Wednesday after it discovered a bug that allowed an important security check performed during TLS issuance to be bypassed. The bug posed a small risk that a TLS certificate could have been issued when the owner of a domain forbid Let's Encrypt from issuing it. In just two days, more than 1.7 million certificates were reissued in just 48 hours, writes Josh Aas, executive director of the Internet Security Research Group (ISRG), which runs Let's Encrypt, in a Bugzilla thread. Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline.

New AMD side channel attacks discovered, impacts Zen architecture

AMD processors manufactured between 2011 and 2019 (the time of testing) are vulnerable to two new attacks, research published this week has revealed. The two new attacks impact the security of the data processed inside the CPU and allow the theft of sensitive information or the downgrade of security features. The research team said it notified AMD of the two issues in August 2019, however, the company has not released microcode (CPU firmware) updates, claiming these "are not new speculation-based attacks," a statement that the research team disagrees with.

Researcher wins $55,000 for ‘Login with Facebook’ hack

Facebook's bug bounty program has yielded a hefty paycheck to a researcher from India who discovered a serious security flaw in the platform. In December, last year, Amol Baikar was tinkering with the "Login with Facebook" feature when he discovered that he could hijack the OAuth flow and steal a user's access tokens. All an attacker had to do was to send the victim a malicious link, which the unwary recipient would (theoretically) click. With the access tokens in hand, the attacker would be able to take over the user's account. Facebook acknowledged the issue within a few hours of Baikar submitting the bug report. On December 16, the social network silently pushed out a fix.

Security advisory: Insufficient data validation in yubikey-val

Yubico received a report from LinkedIn Information Security indicating there is insufficient data validation in the open-source project for YubiKey Validation Server. Yubico verified the issue and has made a security update available to mitigate this issue and enhance the validation of information sent to the APIs. The next major release of the YubiKey Validation Server will become available by July 2020. This issue potentially affects developers, partners, and customers who have used a YubiKey Validation Server to build a self-hosted One-Time Password (OTP) validation service. The default configuration of the service only exposes the verified API, which could allow an attacker to perform a denial of service, potentially preventing legitimate authentications. Additionally, if the configuration has been modified to expose the sync API, then this vulnerability could potentially be used by an attacker to replay a previously used OTP.

Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains

Prior to this advisory, it was possible to register homograph domain names on gTLDs (.com, .net, etc.) as well as subdomains within some SaaS companies using homoglyph characters. This vulnerability is similar to an IDN Homograph attack and presents all the same risks. An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization. Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates. This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity.


Malware Analysis and Reverse Engineering Course

This class will introduce the CS graduate students to malware concepts, malware analysis, and black-box reverse engineering techniques. The target audience is focused on computer science graduate students or undergraduate seniors without prior cyber security or malware experience. It is intended to introduce the students to types of malware, common attack recipes, some tools, and a wide array of malware analysis techniques.

New TrickBot Variant Updates Anti-Analysis Tricks

A new TrickBot variant shows that the malware is continuing to swap out new anti-analysis and persistence tactics. Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components. More recently, the operators behind the malware appear to be changing up their anti-detection methods. In new behavior for this variant, once executed, the JavaScript code first waits for about one minute. After waiting, the JavaScript file then executes a command ("Select * from Win32~Process~") to obtain all running processes on the victim's system. It then puts all the names of these obtained processes together and checks to see if its length is less than 3,100 - another new anti-analysis functionality, researchers said. After downloading the TrickBot payload in a file in the %temp% folder, the JavaScript file then copies itself into the Windows startup folder so it can start whenever Windows OS starts. Once the payload is executed, it is similar to previous versions of the TrickBot malware. In another slight modification, the newest TrickBot variant also integrates the module "systeminfo" into the payload file, which was a standalone module before. Finally, researchers said that the newest variant also reflects a change in the command used to request up-to-date server configuration data.

Mokes and Buerak distributed under the guise of security certificates

The technique of distributing malware under the guise of legitimate software updates is not new. As a rule, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, recently a new approach was discovered to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the update on offer was malicious. The compromised websites display a message claiming the website's security certificate is expired and urge visitors to install a "security certificate update" to correctly view the content of the website.

Who's hacking the hackers: no honor among thieves

Experts from security firm Cybereason warn of a mysterious group of hackers that are distributing trojanized hacking tools on an almost daily basis for the past years. These hacking tools are used by fellow hackers that appear to be the targets of the group. The tools are being shared online on popular hacking forums and blogs, they are infected with a version of the njRAT that is used by attackers to establish a backdoor on the victims' systems and take full control of them. The threat actors behind this campaign are posting malware embedded inside various hacking tools and cracks for those tools on several websites. Once the files are downloaded and opened, the attackers are able to completely take over the victim's machine, reads the report published Cybereason. The researchers discovered more than 1,000 samples while investigating the group's operations, but experts believe the campaign could be broader.


Nasty Phishing Scam Pretends to Be Your HIV Test Results

A new phishing scam is pretending to be your HIV test results to make you more likely to open up a malicious Excel document and become infected. Over the past year, phishing campaigns have been getting nastier and nastier with scammers coming up with wild stories to get you to open a malicious document or click a link. In what could be a new low, Proofpoint researchers have found scammers sending phishing emails with malicious Excel spreadsheets that pretend to be your HIV test results from Vanderbilt University. While the scammers mess up and misspell 'Vanderbit University', unless you pay close attention you can easily miss the spelling mistake. Once you enable content, though, malicious macros will be executed that downloads and installs the Koadic penetration test and post-exploitation toolkit. It is important to remember that medical institutions will never send medical results via ordinary email and will instead have you log in to a secure portal to view results.


Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich

Clearview was unknown to the general public until this January, when The New York Times reported that the secretive start-up had developed a breakthrough facial recognition system that was in use by hundreds of law enforcement agencies. The company quickly faced a backlash on multiple fronts. Facebook, Google and other tech giants sent cease-and-desist letters. Lawsuits were filed in Illinois and Virginia, and the attorney general of New Jersey issued a moratorium against the app in that state. In response to the criticism, Clearview published a "code of conduct," emphasizing in a blog post that its technology was "available only for law enforcement agencies and select security professionals to use as an investigative tool. Accordingly, the Clearview app has built-in safeguards to ensure these trained professionals only use it for its intended purpose: to help identify the perpetrators and victims of crimes. The Times, however, has identified multiple individuals with active access to Clearview's technology who are not law enforcement officials. And for more than a year before the company became the subject of public scrutiny, the app had been freely used in the wild by the company's investors, clients and friends. Those with Clearview logins used facial recognition at parties, on dates and at business gatherings, giving demonstrations of its power for fun or using it to identify people whose names they didn't know or couldn't recall.


Virgin Media Data Breach Exposes Info of 900,000 Customers

Virgin Media announced that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database. Virgin Media is a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers. Lutz Schüler, CEO of Virgin Media, said in a press release that the company immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base. The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home, and email addresses and phone numbers, he added.

T-Mobile Data Breach Exposes Customer's Personal, Financial Info

T-Mobile has announced a data breach caused by an email vendor being hacked that exposed the personal and financial information for some of its customers. Some email accounts that were hacked contained T-Mobile customer information such as social security numbers, financial information, government ID numbers, billing information, and rate plans. To alert customers of the data breach, T-Mobile began texting customers affected by the data breach. These text messages contain a link to one of the two "Notice of Data Breach" pages on T-Mobile's site depending on what data was exposed. The personal information accessed could include names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features. The information accessed may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information.

AnimeGame - 1,431,378 breached accounts

In February 2020, the gaming website AnimeGame suffered a data breach. The incident affected 1.4M subscribers and exposed email addresses, usernames and passwords stored as salted MD5 hashes. The data was subsequently shared on a popular hacking forum and was provided to HIBP by

Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale

Telus-owned Koodo Mobile has suffered a data breach after their systems were hacked and customer data from August and September 2017 was stolen by the attackers. According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

J.Crew Disables User Accounts After Credential Stuffing Attack

US clothing retailer J.Crew announced that it was the victim of a credential stuffing attack around April 2019 that led to some of its customers' accounts and information being accessed by hackers. Credentials stuffing is a type of attack where hackers use large collections of username/password combinations bought from underground markets and leaked after previous security breaches and use them to gain access to user accounts on other online platforms. The rate of success of such attacks is highly dependent on the common practice of users using the same email and password for multiple online accounts. Their end goal is to log into as many accounts as possible onto the targeted site and take over the identities of the account owners, steal money, or gather information.