Table of Contents
V0LTpwn: Attacking x86 Processor Integrity from Software
Fault-injection attacks have been proven in the past to be a reliable way of bypassing hardware-based security measures, such as cryptographic hashes, privilege and access permission enforcement, and trusted execution environments. However, traditional fault-injection attacks require physical presence, and hence, were often considered out of scope in many real-world adversary settings. This paper presents V0LTpwn, a novel hardware-oriented but software-controlled attack that affects the integrity of computation in virtually any execution mode on modern x86 processors. The key idea behind this attack is to undervolt a physical core to force non-recoverable hardware faults. Under a V0LTpwn attack, CPU instructions will continue to execute with erroneous results and without crashes, allowing for exploitation. In contrast to recently presented side-channel attacks that leverage vulnerable speculative execution, V0LTpwn is not limited to information disclosure, but allows adversaries to affect execution, and hence, effectively breaks the integrity goals of modern x86 platforms. the only software-based fault exploit Plundervolt came out around the same time and is similar, the authors may not have known about each other.
Sodinokibi Ransomware to stop taking Bitcoin to hide money trail
The Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track ransom payments and plans to stop allowing bitcoin payments in the future. In a 2019 webinar titled "The functionality of privacy coins", Europol stated that the use of both Tor and Monero made it impossible to trace the funds or the actors who received them.
RagnarLocker ransomware hits EDP energy giant, asks for €10M
Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). During the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and they are now threatening the company to leak all the stolen data unless the ransom is paid.
Ransomware attacks lock 2 Manitoba law firms out of computer systems
Work at two Manitoba law firms is at a virtual standstill after cyber attacks left staff without access to their computer systems, locking out digital files, emails and data backups. It left lawyers and staff at the firms without access to client lists, emails, accounting and financial information, photos and other digital files. Cloud backups were also locked. It is suspected that someone clicked on a link or an attachment in an email that was infected with a virus, specifically Maze ransomware, which in turn infected the firms' entire systems, read a notice on the society's website.
New Ursnif Campaign: A Shift from PowerShell to Mshta
Recently, Zscaler saw the start of a campaign featuring a new multistage payload distribution technique for the well-known banking Trojan named Ursnif (aka Gozi aka Dreambot). The malware has been around for a long time and remains active leveraging new distribution techniques.
Fake VPN Sites Deliver Infostealers
Because of the worldwide call for social distancing, many people working from home and taking classes online for the first time are turning to the virtual private network (VPN) for security and privacy. A new campaign is using the demand for VPNs to trick users into downloading and installing malware by masquerading as a legitimate VPN client.
NetWire RAT Targeting Taxpayers is Spreading via Legacy Microsoft Excel 4.0 Macro
FortiGuard Labs has observed the NetWire RAT spreading widely over the past years. By analyzing NetWire samples, threat researchers have documented that the NetWire RAT focuses on stealing credential information, logging keystrokes, and stealing hardware information -- including hard drives, network cards, and similar components. Recently a new campaign has been observed that uses Excel 4.0 Macros, that is 28 years old and most antivirus engines don't detect it anymore.
APT41 Using New Speculoos Backdoor to Target Organizations Globally
On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to target Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. This blog will be specific to the FreeBSD-based payload that researchers have named Speculoos. The deployment of a tool to run specifically on FreeBSD is fairly novel. Malware targeting BSD-based systems are relatively rare, and considering the use of this tool in conjunction with a vulnerability affecting specific Citrix network appliances, it is highly likely Speculoos was specifically crafted for this attack campaign by APT41.
Grandoreiro Malware Now Targeting Banks in Spain
During the past few months, IBM X-Force researchers have noticed a familiar malware threat that typically affects bank customers in Brazil has spread to attack banks in Spain. Grandoreiro, a remote-overlay banking Trojan, has migrated to Spain without significant modification, proving that attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or have themselves spread the attacks to the region. Remote-overlay Trojans are easy to find and purchase in underground and dark web markets. A recent campaign delivered Grandoreiro using COVID-19-themed videos to trick users into running a concealed executable, infecting their devices with a remote-access tool (RAT) designed to empty their bank accounts.
American Appeals Court Allows Facebook Privacy Lawsuit to Proceed
Facebook has been accused of violating its users rights by tracking users internet activity even after they have logged out of the platform. The 9th U.S. Circuit Court of Appeals in San Francisco said that users could now pursue them under various privacy and wiretapping laws. Facebook is still dealing with the legal ramifications of the Cambridge Analytica scandal both in Australia and around the world. "Plaintiffs have plausibly alleged that Facebook set an expectation that logged-out user data would not be collected, but then collected it anyway," the judge wrote. "In addition, the amount of data allegedly collected was significant...
Signal Threatens to Leave the US If Earn IT Act Passes
Signal is warning that an anti-encryption bill circulating in Congress could force the private messaging app to pull out of the US market. Since the start of the coronavirus pandemic, the free app, which offers end-to-end encryption, has seen a surge in traffic. But on Wednesday, the nonprofit behind the app published a blog post, raising the alarm around the EARN IT Act. "At a time when more people than ever are benefiting from these (encryption) protections, the EARN IT bill proposed by the Senate Judiciary Committee threatens to put them at risk," Signal developer Joshua Lund wrote in the post.
Cloudflare drops Google's reCAPTCHA due to privacy concerns
Cloudflare announced that it has moved from Google's reCAPTCHA to hCaptcha, an independent alternative CAPTCHA provider focused on user privacy. CAPTCHAs (short for Completely Automated Public Turing Test to Tell Computers and Humans Apart) are so-called "challenges" displayed by Cloudflare to a site's visitors with the end goal of blocking malicious bot activity if the service detects unusual behavior not consistent with human traffic. Generally, they are prompts asking visitors to enter the same squiggly letters displayed in a box or to various objects such as cars or traffic lights, to differentiate between legitimate and automated web traffic.
Growth in surveillance may be hard to scale back after pandemic, experts say
The coronavirus pandemic has led to an unprecedented global surge in digital surveillance, with billions of people facing enhanced monitoring that may prove difficult to roll back. Governments in at least 25 countries are employing vast programmes for mobile data tracking, apps to record personal contact with others, CCTV networks equipped with facial recognition, permission schemes to go outside and drones to enforce social isolation regimes. The methods have been adopted by authoritarian states and democracies alike and have opened lucrative new markets for companies that extract, sell, and analyse private data.
FBI warns of ongoing COVID-19 scams targeting govt, health care
The U.S. Federal Bureau of Investigation (FBI) warned government agencies and health care organizations of ongoing BEC schemes exploiting the COVID-19 pandemic, as well as an overall increase in cryptocurrency and health care fraud scam activity targeting consumers. Govt and health care industry buyers were alerted of multiple incidents where fraudsters scammed state government agencies trying to buy personal protective equipment (PPE) and medical equipment from both domestic and foreign entities. According to another FBI warning, crooks are also taking advantage of the pandemic to victimize consumers of all ages in cryptocurrency-related fraud schemes such as blackmail attempts, work from home scams, e-commerce advance fee schemes, and investment scams.
Beware of scams during this crucial time of CoronaVirus pandemic
Due to the CoronaVirus pandemic and in this lockdown period, people have free time to spend on mobile phones and laptops. Riding on this wave, fake message creators create fake messages with attractive offers or services on social media. A large number of fake WhatsApp messages are also being forwarded by people in this period. Such messages can easily fool users who are unaware of such scams.
Russian hackers tried to steal San Francisco airport Windows accounts
The hack of employee web sites belonging to the San Francisco International Airport has been attributed to a Russian hacker group who used the SMB protocol to steal Windows passwords. At the time, it was not known precisely how this was being done, but new information posted on Twitter by cybersecurity firm ESET sheds some light on the attack and how it was used to target Windows logins.
Corona crimes: multi-million face mask scam foiled by police across Europe
As part of a case coordinated by Europol and Interpol, financial institutions and authorities across Germany, Ireland, the Netherlands and the United Kingdom have foiled an attempt to cheat health authorities out of millions of euros by selling them non-existent face masks. In mid-March, the German health authorities contracted two sales companies in Zurich and Hamburg to procure €15 million worth of face masks. With a global shortage on medical supplies complicating usual business channels, the buyers followed new leads in the hopes of securing the masks.
Credit card thieves target WooCommerce sites with new skimmer
Canadian passengers from virus-stricken Zaandam cruise ship hit by federal gov't privacy breach
After enduring a cruise with a COVID-19 outbreak and four deaths, the 247 Canadian passengers who were aboard the Holland America Line ship, the MS Zaandam, face a new problem: a privacy breach by Global Affairs Canada. In a detailed email Global Affairs Canada sent Canadian passengers during the Easter holiday weekend, it explained that, "due to an administrative error," it had mistakenly sent them an email on April 1 with an attachment containing personal information on each passenger - including their address, date of birth, email, phone number and passport number.
Account details for 4 million Quidd users shared on hacking forum
Quidd, an online marketplace for trading stickers, cards, toys, and other collectibles, appears to have suffered a data breach in 2019, and the details of around four million users are now being shared for free on underground hacking forums. The data, of which ZDNet has obtained samples from three different sources, contains Quidd usernames, email addresses, and hashed account passwords.
Over 500,000 Zoom accounts sold on hacker forums, the dark web
Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free. These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers. Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
Despite prior reporting by various sources indicating that some cyber threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks. This blog post seeks to provide a thorough picture and solid technical analysis of the cross-section between the various types of COVID-19 themed threats organizations may be facing during the ongoing pandemic. Specifically, it address a ransomware variant observed in attacks on a Canadian government healthcare organization and a Canadian medical research university, as well as an infostealer variant (AgentTesla) observed in attacks against various other targets.
Doctors Community Medical Center notifies patients after phishing incident put patient info at risk
In January, the center noticed unusual network activity in its payroll system. Their investigation revealed that a number of employees had fallen for a phishing attack and that the attacker(s) had access to employee email accounts between November 6, 2019 and January 30.