Table of Contents

  1. Politics
    1. The EARN-IT Act
    2. German BSI Tells Local Govt Authorities Not to Pay Ransoms
    3. EnigmaSpark: Politically Themed Cyber Activity Highlights Regional Opposition to Middle East Peace Plan
  2. Crime
    1. How cybercriminals are taking advantage of COVID-19
    2. Czech Hospital Hit By Cyber-Attack While in the Midst of a COVID-19 Outbreak
    3. The Inside Scoop on a Six-Figure Nigerian Fraud Campaign
    4. U.S. Health Department Site Hit With DDoS Cyber Attack
    5. "Massive" computer attack at the town hall of Marseille and the metropolis
    6. Ancient Tortoise BEC Scammers Launch Coronavirus-Themed Attack
    7. Vicious Panda: The COVID Campaign
  3. Privacy
    1. Comcast Accidentally Published 200,000 'Unlisted' Phone Numbers
    2. The Whisper Secret-Sharing App Exposed Locations
    3. Brave Browser Files GDPR Complaint Against Google
    4. Tattoo Recognition Score Card: How Institutions Handled Unethical Biometric Surveillance Dataset
  4. Vulnerabilities
    1. Slack Bug Allowed Automating Account Takeover Attacks
    2. The Insecurity of WordPress and Apache Struts
  5. Malware
    1. Nation-Backed Hackers Spread Crimson RAT via Coronavirus Phishing
    2. BlackWater Malware Abuses Cloudflare Workers for C2 Communication
    3. Advanced Russian Hackers Use New Malware in Watering Hole Operation
  6. Ransomware
    1. New Nefilim Ransomware Threatens to Release Victims' Data
    2. PXJ Ransomware Campaign Identified by X-Force IRIS
  7. Leaks
    1. The Halloween Spot - 10,653 breached accounts

Politics

The EARN-IT Act

Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes: The EARN IT Act would create a "National Commission on Online Child Sexual Exploitation Prevention" tasked with developing "best practices" for owners of Internet platforms to "prevent, reduce, and respond" to child exploitation. But far from mere recommendations, those "best practices" would be approved by Congress as legal requirements: if a platform failed to adhere to them, it would lose essential legal protections for free speech.

German BSI Tells Local Govt Authorities Not to Pay Ransoms

BSI, Germany's federal cybersecurity agency, recommends local governments and municipal institutions not to pay the ransoms asked by attackers after they get affected by ransomware attacks. Germany's Federal Office for Information Security (BSI) in collaboration with the Federal Criminal Police Office (BKA) also issued recommendations for local authorities on how to deal with ransom demands following an increasing number of such attacks.

EnigmaSpark: Politically Themed Cyber Activity Highlights Regional Opposition to Middle East Peace Plan

In recent analysis of malicious activity likely targeting entities based in the Middle East, IBM X-Force Incident Response and Intelligence Services (IRIS) discovered backdoor malware packed with the legitimate Enigma Protector software. We named this malware "EnigmaSpark" per the Enigma Protector and the string "Spark4.2" from a .pdb file path, and published our findings to the X-Force IRIS Enterprise Intelligence Management platform on TruSTAR in early February 2020. This discovery likely represents politically motivated attempts to target the network environments of entities or organizations that maintain a significant interest in or support of a new Middle East peace plan. The files IBM X-Force IRIS uncovered suggest that attackers crafted detailed and politically charged documents, taking advantage of geopolitical developments in the Middle East. The recipients of these emails are lured into opening malicious attachments, enabling the actor to compromise victim environments with the potential to exfiltrate data of interest or gain the ability to take other actions in compromised environments.

Crime

How cybercriminals are taking advantage of COVID-19

In the wake of large-scale global events, cybercriminals are among the first to attempt to sow discord, spread disinformation, and seek financial gain. In February 2020, the World Health Organization (WHO) released an advisory warning of ongoing scams involving the ongoing outbreak of COVID-19, the disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) and informally referred to as "coronavirus". These scams aim to exploit people's fear and uncertainty concerning the disease's spread. These can be broadly split into the following three categories: phishing and social engineering scams, sale of fraudulent or counterfeit goods and misinformation. While COVID-19 itself presents a significant global security risk to individuals and organizations across the world, cybercriminal activity around this global pandemic can result in financial damage and promote dangerous guidance, ultimately putting additional strain on efforts to contain the virus.

Czech Hospital Hit By Cyber-Attack While in the Midst of a COVID-19 Outbreak

The Brno University Hospital in the city of Brno, Czech Republic, has been hit by a cyber-attack right in the middle of a COVID-19 outbreak that is picking up steam in the small central European country. Hospital officials have not revealed the nature of the security breach; however, the incident was deemed severe enough to postpone urgent surgical interventions, and re-route new acute patients to nearby St. Anne's University Hospital, local media reported. The hospital was forced to shut down its entire IT network during the incident, and two other of the hospital's branches, the Children's Hospital and the Maternity Hospital, were also impacted. The Czech National Cyber Security Center (NCSC) tweeted today that "the incident was resolved on the spot," together with the hospital's IT staff and members of Czech police (NCOZ). The incident was considered a severe one and treated with the utmost urgency because the Brno University Hospital is one of the Czech Republic's biggest COVID-19 testing laboratories.

The Inside Scoop on a Six-Figure Nigerian Fraud Campaign

Cybercrime is usually a one-way street. Shady types send their malicious documents and Trojans downstream to us innocent folk. Worst-case scenario, we get infected. Best-case scenario, we smirk, hit "delete" and move on with our lives. Either way, we're left with many lingering questions. Who sends these out? Where did they get our email address? Do they really make money doing this? How much? This blog post shows an inside look into Nigerian scammer's online activity.

U.S. Health Department Site Hit With DDoS Cyber Attack

The United States Health and Human Services Department's website was hit with a DDoS cyberattack Sunday night to take it offline in the middle of the Coronavirus outbreak. Attackers attempted to disrupt the dissemination of Coronavirus information by performing a DDoS attack against the HHS.gov website.

"Massive" computer attack at the town hall of Marseille and the metropolis

Ahead of the 2020 municipal elections in Marseille that will take place on 15th and March 22nd, a 'massive and widespread' cyberattack hit the city of Marseille as well as the metropolis Aix-Marseille-Provence. The 2020 municipal elections in Marseille aims at electing the councils of the eight sectors of the city, the municipal council and the metropolitan council of Aix-Marseille-Provence. According to a press release published by the city, the massive cyberattack will have no impact on municipal elections.

Ancient Tortoise BEC Scammers Launch Coronavirus-Themed Attack

A Business Email Compromise (BEC) cybercrime group has started using coronavirus-themed scam emails that advantage of the COVID-19 global outbreak to convince potential victims to send payments to attacker-controlled accounts. This scammer group tracked by Agari researchers as Ancient Tortoise is known for actively using financial aging reports in BEC attacks. Aging reports (also known as a schedule of accounts receivable) are sets of outstanding invoices that help a company's financial department to track customers who haven't paid goods or services bought on credit. Ancient Tortoise gains the trust of employees by asking for aging reports while impersonating a company's executives and then asking the customers to pay the outstanding invoices listed in the aging report.

Vicious Panda: The COVID Campaign

Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus. This report contains a full analysis of the TTPs utilized throughout this campaign, the infrastructure, and the new tools uncovered during research, of what researchers believe to be a Chinese-based threat actor.

Privacy

Comcast Accidentally Published 200,000 'Unlisted' Phone Numbers

Comcast mistakenly published the names, phone numbers, and addresses of nearly 200,000 customers who paid monthly fees to make their numbers unlisted. The names and numbers were made available on Ecolisting, a directory run by Comcast, and picked up by third-party directories. After discovering the mistake, Comcast shut Ecolisting down, gave $100 credits to affected customers, and advised them that they can change their phone numbers at no charge. This is similar to a mistake in the early 2010's that resulted in Comcast paying a $33 million settlement in 2015.

The Whisper Secret-Sharing App Exposed Locations

Whisper, the secret-sharing app that called itself the "safest place on the Internet," left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed. The exposed records did not include real names but did include a user's stated age, ethnicity, gender, hometown, nickname and any membership in groups, many of which are devoted to sexual confessions and discussion of sexual orientation and desires.

Brave Browser Files GDPR Complaint Against Google

Brave has filed a formal complaint against Google with the lead GDPR enforcer in Europe. The complaint comes after Dr. Johnny Ryan, Brave's chief policy and industry relations officer, promised to take Google to court if it didn't stop abusing its power by sharing user data collected by dozens of its distinct services, and creating a "free for all" data warehouse. Cointelegraph reports: Now, the complaint is with the Irish Data Protection Commission. It accuses Google of violating Article 5(1)b of the GDPR. Dublin is Google's European headquarters and, as Dr. Ryan explained to Cointelegraph, the Commission "is responsible for regulating Google's data protection across the European Economic Area." Article 5(1)b of the GDPR requires that data be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." According to Dr. Ryan: "Enforcement of Brave's GDPR 'purpose limitation' complaint against Google would be tantamount to a functional separation, giving everyone the power to decide what parts of Google they chose to reward with their data."

Tattoo Recognition Score Card: How Institutions Handled Unethical Biometric Surveillance Dataset

EFF has long been concerned with the many problems associated with efforts to use automated tattoo recognition, a form of biometric surveillance similar to face recognition that can use your body art to reveal your identity or personal information about you, such as your political, religious, familial, or cultural affiliations. We have particular ethical concerns about an effort known as Tatt-C (also known as the Tattoo Recognition Challenge) that was managed by the National Institute of Standards and Technology (NIST) and the Federal Bureau of Investigation. NIST launched this tattoo recognition program in 2014 by creating an "open tattoo database" that institutions could use to test, train, and improve software that could recognize tattoos.

Vulnerabilities

Slack Bug Allowed Automating Account Takeover Attacks

Slack has fixed a security flaw that allowed hackers to automate the takeover of arbitrary accounts after stealing session cookies using an HTTP Request Smuggling CL.TE hijack attack on https://slackb.com/. Web security researcher and bug bounty hunter Evan Custodio reported the bug to the team collaboration platform's security team via Slack's HackerOne bug bounty program on November 14th.

The Insecurity of WordPress and Apache Struts

A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts. The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week by risk analysis firm RiskSense.

Malware

Nation-Backed Hackers Spread Crimson RAT via Coronavirus Phishing

A state-sponsored threat actor is attempting to deploy the Crimson Remote Administration Tool (RAT) onto the systems of targets via a spear-phishing campaign using Coronavirus-themed document baits disguised as health advisories. This nation-backed cyber-espionage is suspected to be Pakistan-based and it is currently tracked under multiple names including APT36, Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis. Once the malicious documents used as baits are opened and the malicious macros are executed, a 32-bit or a 64-bit version of the Crimson RAT payload will be dropped based on the victim's OS type.

BlackWater Malware Abuses Cloudflare Workers for C2 Communication

A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malware's command and control (C2) server. Cloudflare Workers are JavaScript programs that run directly on Cloudflare's edge so that they can interact with connections from remote web clients. These Workers can be used to modify the output of a website behind Cloudflare, disable Cloudflare features, or even act as independent JavaScript programs running on the edge that displays output. For example, a Cloudflare Worker can be created to search for text in a web server's output and replace words in it or to simply output data back to a web client.

Advanced Russian Hackers Use New Malware in Watering Hole Operation

Two previously undocumented pieces of malware, a downloader and a backdoor, were used in a watering hole operation attributed to the Russian-based threat group Turla. To reach targets of interest, the hackers compromised at least four websites, two of them belonging to the Armenian government. This indicates that the threat actor was after government officials and politicians. The new tools are a .NET malware dropper called NetFlash and a Python-based backdoor named PyFlash. They would be delivered following a fake Adobe Flash update notification received by victims.

Ransomware

New Nefilim Ransomware Threatens to Release Victims' Data

A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data. Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.

PXJ Ransomware Campaign Identified by X-Force IRIS

Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI. A constant flow of new and reused code in this realm continues to flood both consumers and organizations who fight to prevent infections, respond to attacks and often resort to paying the criminals. In a recent analysis from IBM's X-Force Incident Response and Intelligence Services (IRIS), researchers discovered activity related to a new strain of ransomware known as "PXJ" ransomware. This malware is also known as "XVFXGW" ransomware. The name PXJ is derived from the file extension that is appended to encrypted files, whereas the alternative name, XVFXGW, is based off both the mutex the malware creates, "XVFXGW DOUBLE SET," and the email addresses listed in the ransom note.

Leaks

The Halloween Spot - 10,653 breached accounts

In September 2019, the Halloween costume store The Halloween Spot suffered a data breach. Originally misattributed to fancy dress store Smiffys, the breach contained 13 GB of data with over 10k unique email addresses alongside names, physical and IP addresses, phone numbers and order histories. The Halloween Spot advised customers the breach was traced back to "an old shipping information database".