Table of Contents

  1. Malware
    1. Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
    2. FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
    3. LightSpy spyware targets iPhone users in Hong Kong
    4. Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks
    5. WordPress Malware Distributed via Pirated Coronavirus Plugins
    6. Malware Disguised as Google Updates Pushed via Hacked News Sites
    7. Criminals hack Tupperware website with credit card skimmer
    8. Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps
  2. Leaks
    1. Dueling Network - 5,473,883 breached accounts
  3. Phishing
    1. Phishing Attack Says You're Exposed to Coronavirus, Spreads Malware
    2. US Small Business Administration Grants Used as Phishing Bait
    3. This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.
  4. Vulnerabilities
    1. Pi-hole Remote Code Execution
    2. Two zero days are Targeting DrayTek Broadband CPE Devices
    3. Actively Exploited Windows Font Parsing Bugs Get Temporary Fix
    4. Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic
    5. Microsoft Fixes Windows Defender Scan Bug With New Update
    6. A detailed look at the router provided by my ISP
  5. Privacy
    1. Zoom under fire from privacy activists
    2. Top VPNs are recording users and potentially leaking their data when they visit their website
    3. Mozilla Firefox Gets a HTTPS Only Mode For More Secure Browsing
    4. Facial Recognition for People Wearing Masks
  6. Crime
    1. Russians Shut Down Huge Card Fraud Ring
    2. Russian-Speaking Hackers Attack Pharma, Manufacturing Companies in Europe
    3. Google Warned Users of 40,000 State-Sponsored Attacks in 2019
  7. Ransomware
    1. Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack

Malware

Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy

Zeus Sphinx Trojan is back after nearly three years of absence, and is exploiting the Coronavirus scare like many other malware. It gets distributed using malicious macros in a password-protected document.

FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS

Hackers from the FIN7 cybercriminal group have been targeting various businesses with malicious USB‌ devices acting as a keyboard when plugged into a computer. Injected commands download and execute a JavaScript backdoor associated with this actor. In a FLASH alert on Thursday, the FBI warns organizations and security professionals about this tactic adopted by FIN7 to deliver GRIFFON malware. The attack is a variation of the "lost USB" ruse that penetration testers have used for years in their assessments quite successfully and one incident was analyzed by researchers at Trustwave.

LightSpy spyware targets iPhone users in Hong Kong

In January of this year, experts detected a large-scale watering-hole attack aimed at residents of Hong Kong, in which the multifunctional malware LightSpy for iOS was installed on victims' smartphones. This is yet another reminder to anyone who thinks that Apple devices, in particular iPhones, are immune to malware; they are protected, of course, but by no means totally.

Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor in recent years. Between January 20th and March 11th, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.

WordPress Malware Distributed via Pirated Coronavirus Plugins

The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a website. The WP-VCD family of WordPress infections are distributed as nulled, or pirated, WordPress plugins that contain modified code that injects a backdoor into any themes that are installed on the blog as well as various PHP files. Once a WordPress site is compromised by WP-VCD, the malware will attempt to compromise other sites on the same shared host and will routinely connect back to its command & control server to receive new instructions to execute. The ultimate goal of these malicious plugins is to use the compromised WordPress site to display popups or perform redirects that generate revenue for the threat actors.

Malware Disguised as Google Updates Pushed via Hacked News Sites

Hacked corporate sites and news blogs running using the WordPress CMS are being used by attackers to deliver backdoor malware that allows them to drop several second-stage payloads such as keyloggers, info stealers, and Trojans. After gaining admin access to the compromised WordPress websites, the hackers inject malicious JavaScript code that will automatically redirect visitors to phishing sites. These landing pages are designed to look like a legitimate Google Chrome update page and are used by the attackers to instruct potential victims to download an update for their browser. However, instead of a Chrome update, the targets will download malware installers that will infect their devices and will allow the operators behind this campaign to take control of their computers remotely.

Criminals hack Tupperware website with credit card skimmer

On March 20th, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered.

Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps

A new cyber attack is hijacking router's DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a 'COVID-19 Inform App' that was allegedly from the World Health Organization (WHO).

Leaks

Dueling Network - 5,473,883 breached accounts

In March 2017, the Flash game based on the Yu-Gi-Oh trading card game Dueling Network suffered a data breach. The site itself was taken offline in 2016 due to a cease-and-desist order but the forum remained online for another year. The data breach exposed usernames, IP and email addresses and passwords stored as MD5 hashes. The data was provided to HIBP by a source who requested it be attributed to "burger vault".

Phishing

Phishing Attack Says You're Exposed to Coronavirus, Spreads Malware

A new phishing campaign has been spotted that pretends to be from a local hospital telling the recipient that they have been exposed to the Coronavirus and that they need to be tested. The email then tells the recipient to print the attached EmergencyContact.xlsm attachment and bring it with them to the nearest emergency clinic for testing. If a user enables content, malicious macros will be executed to download a malware executable to the computer and launch it.

US Small Business Administration Grants Used as Phishing Bait

Attackers are attempting to deliver Remcos Remote Access Tool (RAT) payloads on the systems of small businesses via phishing emails impersonating the U.S. Small Business Administration (U.S. SBA). They are taking advantage of the financial problems experienced by SMBs during the current COVID-19 pandemic to lure them into opening malicious attachments camouflaged as disaster assistance grants and testing center vouchers. Despite using broken English within the phishing emails, the malicious actors made sure that the overall layout is as close as possible to the real thing, using the official U.S. SBA logo and footer info as IBM X-Force Threat Intelligence researchers found.

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

Cofense Intelligence has tracked a complex credential phishing operation that evades Microsoft Office 365, Cisco Ironport and Mimecast Secure Email Gateways and has been active since at least December 2019 - a very long time for an active credential phishing campaign. The use of a series of convincing tactics suggests that threat actors have taken great effort to create an air of authenticity for targeted recipients. Targeted users receive an email, supposedly from their HR departments, mandating that they complete a SurveyMonkey employee satisfaction survey. The convoluted attack chain uses trusted sources and eventually redirects to a real SurveyMonkey survey, allowing the threat actors to evade detection, and provides recipients with the end results that they expect -- a real survey.

Vulnerabilities

Pi-hole Remote Code Execution

Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. The MAC address input in the web interface can be tampered to execute arbitrary code.

Two zero days are Targeting DrayTek Broadband CPE Devices

360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device's network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.

Actively Exploited Windows Font Parsing Bugs Get Temporary Fix

Until Microsoft releases a patch for two critical vulnerabilities affecting the font parsing component in all supported versions of Windows, some users can apply temporary protection in the form of a micropatch that prevents exploitation.

Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic

A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents Virtual Private Networks (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

Microsoft Fixes Windows Defender Scan Bug With New Update

Microsoft has silently fixed the "items skipped during scan" Windows Defender bug that was causing some items to be excluded from scans if they were stored on a network device. The issue was fixed with the release of the KB4052623 update for the Windows Defender antimalware platform that will increment the scan engine's version to 4.18.2003.8 and will prevent future notifications of files being skipped from appearing.

A detailed look at the router provided by my ISP

A security researcher wrote a series of blog posts after reverse engineering the router provided by his ISP, and finding out how is the ISP updating the device and also a hardcoded SSH key from Huawei.

Privacy

Zoom under fire from privacy activists

With everyone moving to working remotely, Zoom exploded in popularity, and received a lot of criticism regarding their privacy practices. The iOS version of the Zoom app was sending some analytics data to Facebook, even if Zoom users don't have a Facebook account, according to a Motherboard analysis of the app. Zoom has responded to the accusations and has removed the code that used to send data to Facebook.

Top VPNs are recording users and potentially leaking their data when they visit their website

VPNpro research shows that VPN websites are disappointingly very similar to - and sometimes worse than - other popular websites. Of the 114 analyzed VPNs, 102 websites had trackers on them, with 26 websites having 10 or more trackers. A lot of these trackers involve third parties that don't have the best reputation for respecting user privacy, which can be detrimental for the user.

Mozilla Firefox Gets a HTTPS Only Mode For More Secure Browsing

Mozilla Firefox 76 is getting a new 'HTTPS Only' mode that automatically upgrades all HTTP requests to HTTPS when browsing the web and blocks all connections that can't be upgraded. When connecting to an HTTP site, your connection is not encrypted and your ISP and programs running on the computer can monitor the data being sent over it. This includes your passwords, credit card info, and other sensitive information.

Facial Recognition for People Wearing Masks

The Chinese facial recognition company Hanwang claims it can recognize people wearing masks. The company now says its masked facial recognition program has reached 95 percent accuracy in lab tests, and even claims that it is more accurate in real life, where its cameras take multiple photos of a person if the first attempt to identify them fails.

Crime

Russians Shut Down Huge Card Fraud Ring

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade. In a statement, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

Russian-Speaking Hackers Attack Pharma, Manufacturing Companies in Europe

Malware belonging to Russian-speaking threat actors was used in attacks in late January against at least two European companies in the pharmaceutical and manufacturing industries. Based on the tools employed in the attacks, the suspects are likely the Silence and TA505 financially-motivated groups. While TA505's history of attacks includes targets in the medical sector, if security researchers are right, these incidents would mark for Silence a departure from its regular targets, which are banks and financial institutions.

Google Warned Users of 40,000 State-Sponsored Attacks in 2019

Google says that it delivered almost 40,000 alerts of state-sponsored phishing or malware hacking attempts to its users during 2019, with a 25% drop when compared to the previous year. One of the reasons behind this notable drop in the number of government-backed hacking incidents is the increasingly effective protections Google sets up to protect its users. Due to the more effective protections, hackers are forced to slow down their attacks and try to adapt their campaigns which leads to less frequent hacking attempts.

Ransomware

Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack

Cyber insurer giant Chubb is allegedly the latest ransomware victim according to the operators of the Maze Ransomware who claim to have encrypted the company in March 2020. Chubb is one of the leading insurance carriers in the world with an extensive line of cyber insurance products that include incident response, forensics, legal teams, and even public relations. While Chubb states that their network has not been compromised, cybersecurity intelligence firm Bad Packets has stated that the company has numerous Citrix ADC (Netscaler) servers that are vulnerable to the CVE-2019-19871 vulnerability.