Table of Contents
- Trickbot in hundreds of unique COVID-19 lures per week
- Clipboard hijacking malware found in 725 Ruby libraries
- Microsoft helped stop a botnet controlled via an LED light console
- Uncooking Eggs: Manual Dridex Dropper Malicious Document Deobfuscation Methods
- Gamaredon APT Group Use Covid-19 Lure in Campaigns
Hackers may have accessed personal information of Aurora Medical Center Bay Area patients
Someone used an email phishing scam around January 1 to gain access to email accounts of several of the Marinette hospital's employees, according to Advocate Health Aurora. When hospital leaders learned of the breach on Jan. 9, they alerted federal and state law enforcement, started an internal investigation and changed credentials for the employee accounts. Officials said the hackers didn't get into the hospital's electronic health records system, but they might have had access to patients' personal and health information through employee emails.
Aptoide - 20,012,235 breached accounts
In April 2020, the independent Android app store Aptoide suffered a data breach. The incident resulted in the exposure of 20M customer records which were subsequently shared online via a popular hacking forum. Impacted data included email and IP addresses, names, IP addresses and passwords stored as SHA-1 hashes without a salt.
Ransomware attack temporarily knocks out Olean city systems
On Friday morning, city officials announced that the management information department detected and stopped a computer virus attack on the city's computers before the opening of business. "All I can tell you is that ransomware was discovered early in the morning," Mayor Bill Aiello said, noting the attack could not have come at a worse time as many city employees are working remotely from home. "We were able to minimize the effect of it on our network."
Leading accounting firm MNP hit with cyberattack
A leading accounting firm in Canada forced a company-wide shutdown of their systems after getting hit with a cyberattack last weekend, BleepingComputer has learned. Canadian accounting firm MNP's systems were impacted last weekend in what BleepingComputer was told was a ransomware attack. When the company discovered that an attack was taking place, they shut down the systems throughout the company to prevent more devices from being infected. MNP employees have told BleepingComputer that accountants were sent text messages asking them to bring their laptops into the office to be secured before reconnecting to servers.
Ransomware Wrecks Florida City
A malware attack on the Florida town of Jupiter has caused problems that are out of this world. The Palm Beach County conurbation was struck with REvil ransomware, also known as Sodinokibi, on March 21 in an attack that took down the town's computer system for three weeks. Kate Moretto, Jupiter's public information officer, confirmed that multiple files had been encrypted as a result of the incident.
IT services giant Cognizant suffers Maze Ransomware cyberattack
Information technologies services giant Cognizant suffered a cyberattack Friday night allegedly by the operators of the Maze Ransomware, BleepingComputer has learned. Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue. As part of its operations, Cognizant remotely manages its clients through end-point clients, or agents, that are installed on customer's workstations to push out patches, software updates, and perform remote support services. On Friday, Cognizant began emailing their clients, stating that they had been compromised and included a "preliminary list of indicators of compromise identified through our investigation." Clients could then use this information to monitor their systems and further secure them.
US govt: Hacker used stolen AD credentials to ransom hospitals
Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using Active Directory credentials stolen months after exploiting a known pre-auth remote code execution (RCE) vulnerability in their Pulse Secure VPN servers. Even though the vulnerability tracked as CVE-2019-11510 was patched by Pulse Secure one year ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned organizations in January 2020 to patch their Pulse Secure VPN servers against ongoing attacks, after another alert issued in October 2019. Despite all these warnings, CISA had to issue one more alert this week urging organizations to immediately patch CVE-2019-11510 to block attackers from gaining access to their networks and steal domain administrator credentials.
TrickBot in hundreds of unique COVID-19 lures per week
TrickBot is, at the moment, the malware showing up in the highest number of unique COVID-19 related malicious emails and attachments delivered to potential victims' inboxes based on Microsoft's Office 365 Advanced Threat Protection (ATP) data. "Based on Office 365 ATP data, TrickBot is the most prolific malware operation using COVID-19 themed lures," according to a tweet from Microsoft's global network of security experts. "This week's campaign uses several hundreds of unique macro-laced document attachments in emails that pose as message from a non-profit offering free COVID-19 test." The macros used by the TrickBot gang are still using a delay before downloading the malicious payloads to evade sandbox analysis and emulation.
Clipboard hijacking malware found in 725 Ruby libraries
Security researchers from ReversingLabs say they've discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users' clipboards. All the Ruby libraries were copies of legitimate libraries, used lookalike names, worked as intended, but also contained additional malicious files.
Microsoft helped stop a botnet controlled via an LED light console
Microsoft says that its Digital Crimes Unit (DCU) discovered and helped take down a botnet of 400,000 compromised devices controlled with the help of an LED light control console. The botnet was used by the threat actors who controlled it for a wide variety of purposes ranging from phishing campaigns, malware distribution, ransomware payloads delivery, and launching distributed denial-of-service (DDoS) attacks. "To the team's surprise, these activities correlated to as much as one terabyte (TB) of malicious content being sent out a week," Microsoft said.
Uncooking Eggs: Manual Dridex Dropper Malicious Document Deobfuscation Methods
Rapid7 has written an article explaining how to analyze and deobfuscate a malicious document macro.
Gamaredon APT Group Use Covid-19 Lure in Campaigns
Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. Their campaigns are generally known for targeting Ukrainian government institutions. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group's activities.
FBI Says Foreign States Hacked into U.S. Covid-19 Research Centers
While the Federal Bureau of Investigations (FBI) warning public about scams, fraud and fake news on COVID-19 hacking threat got now something a lot more sinister and disturbing news has emerged. It has been reported that the FBI has seen evidence of foreign state-sponsored hackers breaking into U.S. COVID-19 research institutions.
The DoD Isn't Fixing Its Security Problems
GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of "cybersecurity hygiene" like this doesn't directly analyze a network's hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense. GAO repeatedly identified lack of status updates and accountability as core issues within DoD's cybersecurity awareness and education efforts. It was unclear in many cases who had completed which training modules. There were even DoD departments lacking information on which users should have their network access revoked for failure to complete trainings.
GitHub accounts stolen in ongoing phishing attacks
GitHub users are currently being targeted by a phishing campaign specifically designed to collect and steal their credentials via landing pages mimicking GitHub's login page. Besides taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to "those owned by organization accounts and other collaborators." "If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password," GitHub's Security Incident Response Team (SIRT) says.
Zoom Endpoint-Security Considerations
Thorsten Schröder has checked the Windows version of Zoom and found out it uses many vulnerable components and bad security hygiene.
Decade of the RATs: Is Linux Secure?
Just recently, LinuxSecurity published a feature article exploring the rise in attacks targeting Linux, their implications for Linux users and the conclusions that can be drawn about the security of the operating system based on this disheartening trend. Now, yet another frightening attack campaign exploiting Linux has come to light. In a new report, security researchers from BlackBerry reveal that Chinese state hackers have been successfully infiltrating critical Linux servers with little to no detection since 2012. The researchers identified a previously undocumented Linux malware tool set including two kernel-level rootkits and three backdoors.
Hacking Logitech smart remote control
A security researcher has disassembled and reverse engineered a "smart remote control" from Logitech and has written about questionable design and security choices of this device.
Employers use software to take screenshots of workers’ computers
Weeks after employees began working from home in March, Mr. Heuwetter said he noticed that some staffers started logging on later in the mornings. Others were slow to respond to messages. Mr. Heuwetter says he understands working remotely requires a significant adjustment, but he became concerned. So he required workers at his company, 98 Buck Social, to install a tool that takes computer screenshots every 10 minutes and records how much time they spend on certain activities.
A Message About Vanguard From Our Security and Privacy Teams
RiotGames has written an article in response to concerns from the security community regarding their new anti-cheat software called Vanguard that will operate in kernel mode so that cheaters can't use kernel mode privileges to break Vanguard.
Teenage hacker arrested in Madrid for hacking medical data and leaking information on a politician positive for COVID-19
A 16-year-old hacker has been arrested for hacking medical data and then leaking information about a politician who was positive with Coronavirus. Agents from the Technological Investigation Unit of the Policia Nacional arrested the teenager in Madrid. He had managed to hack into the servers of the Madrid health service and obtain patients' medical records, including one of a prominent politician. The hacker then subsequently proceeded to release the information on his Twitter and Instagram pages in order to gloat.
Silicon Valley Legends Launch 'Beyond Identity' To Eliminate All Passwords
Jim Clark and Tom Jermoluk have launched a phone-resident personal certificate-based authentication and authorization solution that eliminates all passwords. The technology used is not new, being based on X.509 certificates and SSL. It is the opportunity provided by the modern smartphone with biometric user access, enough memory and power, and a secure enclave to store the private keys of a self-certificate that never leaves the device that is new. The biometric access ties the phone to its user, and the Beyond Identity certificate authenticates the device/user to the service provider, whether that's a bank or a corporate network...