Table of Contents

  1. Phishing
    1. NASA under significantly increasing hacking, phishing attacks
  2. Scams
    1. BEC gift card scams switch to online stores due to pandemic
    2. Scammers target Australians financially affected by pandemic
  3. Ransomware
    1. Drug testing firm sends data breach alerts after ransomware attack
    2. Interpol: Ransomware attacks on hospitals are increasing
  4. Vulnerabilities
    1. Exploiting the TP-Link Archer A7 at Pwn2Own Tokyo
    2. Microsoft Buys Corp.com So Bad Guys Can’t
    3. How we abused Slack's TURN servers to gain access to internal services
    4. 80% of all exposed Exchange servers still unpatched for critical flaw
  5. Politics
    1. Taiwan’s government bars its agencies from using Zoom over security concerns
    2. Russian Telco Hijacked Internet Traffic of Google, AWS, Cloudflare, and Others
    3. The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability
    4. Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill
  6. Leaks
    1. Email provider got hacked, data of 600,000 users now sold on the dark web
    2. Data Leak: Private information of 14 million Key Ring users exposed
    3. HTC Mania - 1,488,089 breached accounts

Phishing

NASA under significantly increasing hacking, phishing attacks

NASA has seen significantly increasing malicious activity from both nation-state hackers and cybercriminals targeting the US space agency's systems and personnel working from home during the COVID-19 pandemic. Mitigation tools and measures set in place by NASA's Security Operations Center successfully blocked a wave of cyberattacks, the agency reporting double the number of phishing attempts, an exponential increase in malware attacks, and double the number of malicious sites being blocked to protect users from potential malicious attacks.

Scams

BEC gift card scams switch to online stores due to pandemic

Scammers behind business email compromise (BEC) attacks have adjusted their tactics to match the current situation given the tens of millions of employees working from home during the COVID-19 outbreak. While normally, they've been attempting to convince victims to buy gift cards as a quick favor to one of their company's executives, they've now switched to asking them for digital gift cards since brick and stone stores are now either closed or a lot harder to reach due to lockdowns.

Scammers target Australians financially affected by pandemic

Australians that were financially impacted by the COVID-19 pandemic are targeted by scammers attempting to get their hands on victims' superannuation funds partially released starting mid-April. Superannuation is also referred to as a company pension plan and it is a partly compulsory system requiring Australians to deposit a minimum percentage of their income into an account that will provide them with an income stream after retirement.

Ransomware

Drug testing firm sends data breach alerts after ransomware attack

Hammersmith Medicines Research LTD, a research company on standby to perform live trials of Coronavirus vaccines, has started emailing data breach notifications after having their data stolen and published in a ransomware attack. After the ransom was not paid, the Maze operators published some of the stolen data on their "News" site on March 21st to further extort HMR into making a payment.

Interpol: Ransomware attacks on hospitals are increasing

The INTERPOL warns that cybercriminals are increasingly attempting to lockout hospitals out of critical systems by attempting to deploy ransomware on their networks despite the currently ongoing COVID-19 outbreak.

Vulnerabilities

Exploiting the TP-Link Archer A7 at Pwn2Own Tokyo

During the Pwn2Own Tokyo competition last fall, Pedro Ribeiro and Radek Domanski used a command injection vulnerability as a part of the exploit chain they used to gain code execution on a TP-Link Archer A7 wireless router, which earned them $5,000. The bug used in this exploit was recently patched, and Pedro and Radek have graciously put together this blog post describing the command injection vulnerability.

Microsoft Buys Corp.com So Bad Guys Can’t

Microsoft has purchased the Corp.com domain to prevent it from being used by malicious actors to steal Windows credentials, monitor customer traffic, or serve malicious files. In February, KrebsOnSecurity told the story of a private citizen auctioning off the dangerous domain corp.com for the starting price of $1.7 million. Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe. This week, Microsoft Corp. agreed to buy the domain in a bid to keep it out of the hands of those who might abuse its awesome power.

How we abused Slack's TURN servers to gain access to internal services

Slack's TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And researchers were awarded $3,500 for the bug-bounty report on HackerOne.

80% of all exposed Exchange servers still unpatched for critical flaw

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions. This security flaw is present in the Exchange Control Panel (ECP) component ---on by default--- and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.

Politics

Taiwan’s government bars its agencies from using Zoom over security concerns

Taiwan's Executive Yuan issued an advisory on Tuesday barring the country's government agencies from using Zoom and other video software with "associated security or privacy concerns." Instead, the government said alternatives, including software from Google and Microsoft, should be considered.

Russian Telco Hijacked Internet Traffic of Google, AWS, Cloudflare, and Others

Earlier this week, traffic meant for more than 200 of the world's largest content delivery (CDNs) and cloud hosting providers was suspiciously redirected through Rostelecom, Russia's state-owned telecommunications provider. The incident affected more than 8,800 internet traffic routes from 200+ networks, and lasted for about an hour.

The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability

Recently, Qihoo 360 detected an APT attack that deliver malicious files through hijacked security services of a domestic VPN provider. We have reported the vulnerability details to the service provider and received confirmation. Further reversing shows that the attack can be attributed to the Darkhotel (APT-C-06), an APT gang in the Korean Peninsula. Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai.

Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill

FireEye Mandiant Threat Intelligence documented more zero-days exploited in 2019 than any of the previous three years. While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and/or by groups with suspected ties to this region. Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.

Leaks

Email provider got hacked, data of 600,000 users now sold on the dark web

The data of more than 600,000 Email.it users is currently being sold on the dark web, ZDNet has learned following a tip from one of our readers. The Email.it hack came to light on Sunday, when the hackers went on Twitter to promote a website on the dark web where they were selling the company's data.

Data Leak: Private information of 14 million Key Ring users exposed

Five misconfigured Amazon Web Services (AWS) S3 buckets revealing private data of Key Ring users were discovered by vpnMentor researchers in January. Like many similar apps, Key Ring lets users store digital copies of their loyalty cards, create a shopping list, receive weekly deals, and benefit from new loyalty programs. Some users, however, use the app to upload their personal ID and credit cards to avoid digging through their wallets.

HTC Mania - 1,488,089 breached accounts

In January 2020, the Spanish mobile phone forum HTC Mania suffered a data breach of the vBulletin based site. The incident exposed 1.5M member email addresses, usernames, IP addresses, dates of birth and salted MD5 password hashes and password histories. Data from the breach was subsequently redistributed on popular hacking websites.