Table of Contents

  1. Vulnerabilities
    1. V0LTpwn: Attacking x86 Processor Integrity from Software
  2. Ransomware
    1. Sodinokibi Ransomware to stop taking Bitcoin to hide money trail
    2. RagnarLocker ransomware hits EDP energy giant, asks for €10M
    3. Ransomware attacks lock 2 Manitoba law firms out of computer systems
  3. Malware
    1. New Ursnif Campaign: A Shift from PowerShell to Mshta
    2. Fake VPN Sites Deliver Infostealers
    3. NetWire RAT Targeting Taxpayers is Spreading via Legacy Microsoft Excel 4.0 Macro
    4. APT41 Using New Speculoos Backdoor to Target Organizations Globally
    5. Grandoreiro Malware Now Targeting Banks in Spain
  4. Privacy
    1. American Appeals Court Allows Facebook Privacy Lawsuit to Proceed
    2. Signal Threatens to Leave the US If Earn IT Act Passes
    3. Cloudflare drops Google's reCAPTCHA due to privacy concerns
    4. Growth in surveillance may be hard to scale back after pandemic, experts say
  5. Scams
    1. FBI warns of ongoing COVID-19 scams targeting govt, health care
    2. Beware of scams during this crucial time of CoronaVirus pandemic
  6. Crime
    1. Russian hackers tried to steal San Francisco airport Windows accounts
    2. Corona crimes: multi-million face mask scam foiled by police across Europe
    3. Credit card thieves target WooCommerce sites with new skimmer
  7. Leaks
    1. Canadian passengers from virus-stricken Zaandam cruise ship hit by federal gov't privacy breach
    2. Account details for 4 million Quidd users shared on hacking forum
    3. Over 500,000 Zoom accounts sold on hacker forums, the dark web
  8. Phishing
    1. Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
    2. Doctors Community Medical Center notifies patients after phishing incident put patient info at risk

Vulnerabilities

V0LTpwn: Attacking x86 Processor Integrity from Software

Fault-injection attacks have been proven in the past to be a reliable way of bypassing hardware-based security measures, such as cryptographic hashes, privilege and access permission enforcement, and trusted execution environments. However, traditional fault-injection attacks require physical presence, and hence, were often considered out of scope in many real-world adversary settings. This paper presents V0LTpwn, a novel hardware-oriented but software-controlled attack that affects the integrity of computation in virtually any execution mode on modern x86 processors. The key idea behind this attack is to undervolt a physical core to force non-recoverable hardware faults. Under a V0LTpwn attack, CPU instructions will continue to execute with erroneous results and without crashes, allowing for exploitation. In contrast to recently presented side-channel attacks that leverage vulnerable speculative execution, V0LTpwn is not limited to information disclosure, but allows adversaries to affect execution, and hence, effectively breaks the integrity goals of modern x86 platforms. the only software-based fault exploit Plundervolt came out around the same time and is similar, the authors may not have known about each other.

Ransomware

Sodinokibi Ransomware to stop taking Bitcoin to hide money trail

The Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track ransom payments and plans to stop allowing bitcoin payments in the future. In a 2019 webinar titled "The functionality of privacy coins", Europol stated that the use of both Tor and Monero made it impossible to trace the funds or the actors who received them.

RagnarLocker ransomware hits EDP energy giant, asks for €10M

Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). During the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and they are now threatening the company to leak all the stolen data unless the ransom is paid.

Ransomware attacks lock 2 Manitoba law firms out of computer systems

Work at two Manitoba law firms is at a virtual standstill after cyber attacks left staff without access to their computer systems, locking out digital files, emails and data backups. It left lawyers and staff at the firms without access to client lists, emails, accounting and financial information, photos and other digital files. Cloud backups were also locked. It is suspected that someone clicked on a link or an attachment in an email that was infected with a virus, specifically Maze ransomware, which in turn infected the firms' entire systems, read a notice on the society's website.

Malware

New Ursnif Campaign: A Shift from PowerShell to Mshta

Recently, Zscaler saw the start of a campaign featuring a new multistage payload distribution technique for the well-known banking Trojan named Ursnif (aka Gozi aka Dreambot). The malware has been around for a long time and remains active leveraging new distribution techniques.

Fake VPN Sites Deliver Infostealers

Because of the worldwide call for social distancing, many people working from home and taking classes online for the first time are turning to the virtual private network (VPN) for security and privacy. A new campaign is using the demand for VPNs to trick users into downloading and installing malware by masquerading as a legitimate VPN client.

NetWire RAT Targeting Taxpayers is Spreading via Legacy Microsoft Excel 4.0 Macro

FortiGuard Labs has observed the NetWire RAT spreading widely over the past years. By analyzing NetWire samples, threat researchers have documented that the NetWire RAT focuses on stealing credential information, logging keystrokes, and stealing hardware information -- including hard drives, network cards, and similar components. Recently a new campaign has been observed that uses Excel 4.0 Macros, that is 28 years old and most antivirus engines don't detect it anymore.

APT41 Using New Speculoos Backdoor to Target Organizations Globally

On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to target Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. This blog will be specific to the FreeBSD-based payload that researchers have named Speculoos. The deployment of a tool to run specifically on FreeBSD is fairly novel. Malware targeting BSD-based systems are relatively rare, and considering the use of this tool in conjunction with a vulnerability affecting specific Citrix network appliances, it is highly likely Speculoos was specifically crafted for this attack campaign by APT41.

Grandoreiro Malware Now Targeting Banks in Spain

During the past few months, IBM X-Force researchers have noticed a familiar malware threat that typically affects bank customers in Brazil has spread to attack banks in Spain. Grandoreiro, a remote-overlay banking Trojan, has migrated to Spain without significant modification, proving that attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or have themselves spread the attacks to the region. Remote-overlay Trojans are easy to find and purchase in underground and dark web markets. A recent campaign delivered Grandoreiro using COVID-19-themed videos to trick users into running a concealed executable, infecting their devices with a remote-access tool (RAT) designed to empty their bank accounts.

Privacy

American Appeals Court Allows Facebook Privacy Lawsuit to Proceed

Facebook has been accused of violating its users rights by tracking users internet activity even after they have logged out of the platform. The 9th U.S. Circuit Court of Appeals in San Francisco said that users could now pursue them under various privacy and wiretapping laws. Facebook is still dealing with the legal ramifications of the Cambridge Analytica scandal both in Australia and around the world. "Plaintiffs have plausibly alleged that Facebook set an expectation that logged-out user data would not be collected, but then collected it anyway," the judge wrote. "In addition, the amount of data allegedly collected was significant...

Signal Threatens to Leave the US If Earn IT Act Passes

Signal is warning that an anti-encryption bill circulating in Congress could force the private messaging app to pull out of the US market. Since the start of the coronavirus pandemic, the free app, which offers end-to-end encryption, has seen a surge in traffic. But on Wednesday, the nonprofit behind the app published a blog post, raising the alarm around the EARN IT Act. "At a time when more people than ever are benefiting from these (encryption) protections, the EARN IT bill proposed by the Senate Judiciary Committee threatens to put them at risk," Signal developer Joshua Lund wrote in the post.

Cloudflare drops Google's reCAPTCHA due to privacy concerns

Cloudflare announced that it has moved from Google's reCAPTCHA to hCaptcha, an independent alternative CAPTCHA provider focused on user privacy. CAPTCHAs (short for Completely Automated Public Turing Test to Tell Computers and Humans Apart) are so-called "challenges" displayed by Cloudflare to a site's visitors with the end goal of blocking malicious bot activity if the service detects unusual behavior not consistent with human traffic. Generally, they are prompts asking visitors to enter the same squiggly letters displayed in a box or to various objects such as cars or traffic lights, to differentiate between legitimate and automated web traffic.

Growth in surveillance may be hard to scale back after pandemic, experts say

The coronavirus pandemic has led to an unprecedented global surge in digital surveillance, with billions of people facing enhanced monitoring that may prove difficult to roll back. Governments in at least 25 countries are employing vast programmes for mobile data tracking, apps to record personal contact with others, CCTV networks equipped with facial recognition, permission schemes to go outside and drones to enforce social isolation regimes. The methods have been adopted by authoritarian states and democracies alike and have opened lucrative new markets for companies that extract, sell, and analyse private data.

Scams

FBI warns of ongoing COVID-19 scams targeting govt, health care

The U.S. Federal Bureau of Investigation (FBI) warned government agencies and health care organizations of ongoing BEC schemes exploiting the COVID-19 pandemic, as well as an overall increase in cryptocurrency and health care fraud scam activity targeting consumers. Govt and health care industry buyers were alerted of multiple incidents where fraudsters scammed state government agencies trying to buy personal protective equipment (PPE) and medical equipment from both domestic and foreign entities. According to another FBI warning, crooks are also taking advantage of the pandemic to victimize consumers of all ages in cryptocurrency-related fraud schemes such as blackmail attempts, work from home scams, e-commerce advance fee schemes, and investment scams.

Beware of scams during this crucial time of CoronaVirus pandemic

Due to the CoronaVirus pandemic and in this lockdown period, people have free time to spend on mobile phones and laptops. Riding on this wave, fake message creators create fake messages with attractive offers or services on social media. A large number of fake WhatsApp messages are also being forwarded by people in this period. Such messages can easily fool users who are unaware of such scams.

Crime

Russian hackers tried to steal San Francisco airport Windows accounts

The hack of employee web sites belonging to the San Francisco International Airport has been attributed to a Russian hacker group who used the SMB protocol to steal Windows passwords. At the time, it was not known precisely how this was being done, but new information posted on Twitter by cybersecurity firm ESET sheds some light on the attack and how it was used to target Windows logins.

Corona crimes: multi-million face mask scam foiled by police across Europe

As part of a case coordinated by Europol and Interpol, financial institutions and authorities across Germany, Ireland, the Netherlands and the United Kingdom have foiled an attempt to cheat health authorities out of millions of euros by selling them non-existent face masks. In mid-March, the German health authorities contracted two sales companies in Zurich and Hamburg to procure €15 million worth of face masks. With a global shortage on medical supplies complicating usual business channels, the buyers followed new leads in the hopes of securing the masks.

Credit card thieves target WooCommerce sites with new skimmer

Credit card thieves are targeting WordPress e-commerce sites powered by WooCommerce with a dedicated JavaScript-based card-skimmer malware instead of run-of-the-mill attempts to redirect payments to attacker-controlled accounts. WooCommerce is a free and open-source WordPress plugin with more than 5 million active installs that makes it easy to run e-commerce sites that can be used to "sell anything, anywhere."

Leaks

Canadian passengers from virus-stricken Zaandam cruise ship hit by federal gov't privacy breach

After enduring a cruise with a COVID-19 outbreak and four deaths, the 247 Canadian passengers who were aboard the Holland America Line ship, the MS Zaandam, face a new problem: a privacy breach by Global Affairs Canada. In a detailed email Global Affairs Canada sent Canadian passengers during the Easter holiday weekend, it explained that, "due to an administrative error," it had mistakenly sent them an email on April 1 with an attachment containing personal information on each passenger - including their address, date of birth, email, phone number and passport number.

Account details for 4 million Quidd users shared on hacking forum

Quidd, an online marketplace for trading stickers, cards, toys, and other collectibles, appears to have suffered a data breach in 2019, and the details of around four million users are now being shared for free on underground hacking forums. The data, of which ZDNet has obtained samples from three different sources, contains Quidd usernames, email addresses, and hashed account passwords.

Over 500,000 Zoom accounts sold on hacker forums, the dark web

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free. These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers. Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Phishing

Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns

Despite prior reporting by various sources indicating that some cyber threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks. This blog post seeks to provide a thorough picture and solid technical analysis of the cross-section between the various types of COVID-19 themed threats organizations may be facing during the ongoing pandemic. Specifically, it address a ransomware variant observed in attacks on a Canadian government healthcare organization and a Canadian medical research university, as well as an infostealer variant (AgentTesla) observed in attacks against various other targets.

Doctors Community Medical Center notifies patients after phishing incident put patient info at risk

In January, the center noticed unusual network activity in its payroll system. Their investigation revealed that a number of employees had fallen for a phishing attack and that the attacker(s) had access to employee email accounts between November 6, 2019 and January 30.