Table of Contents

  1. Leaks
    1. Hacker leaks 23 million usernames and passwords from Webkinz children's game
    2. 267 million Facebook profiles sold for $600 on the dark web
    3. Vianet - 94,353 breached accounts
    4. Energy Company in Poland Exposed Data of its Customers
  2. Phishing
    1. German government might have lost tens of millions of euros in COVID-19 phishing attack
    2. Hackers exploit coronavirus lockdown with fake Netflix and Disney+ pages
    3. FBI warns of COVID-19 phishing targeting US health providers
    4. Spearphishing campaigns target oil, gas companies with spyware
    5. Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes
  3. Hoaxes
    1. Facebook Will Warn Users Who 'Liked' Coronavirus Hoaxes
  4. Crime
    1. Hackers steal $25 million worth of cryptocurrency from Uniswap and Lendf.me
    2. US Government concerned by cyber attacks on Czech hospitals during COVID19 crisis
    3. Nintendo accounts are getting hacked and used to buy Fortnite currency
  5. Scams
    1. Coronavirus Dark Web Scams: From infected blood to ventilators
    2. FBI: Extortion scammers more active due to stay-at-home orders
  6. Zoom
    1. Vulnerability Spotlight: Zoom Communications user enumeration
    2. Zoom’s security woes were no secret to business partners like Dropbox
  7. Vulnerabilities
    1. You Can Now Check If Your ISP Uses Basic Security Measures
    2. Chaos Computer Club analysis of Corona app from Robert-Koch-Institut
    3. Multiple Vulnerabilities in IBM Data Risk Manager
    4. You Won't Believe what this One Line Change Did to the Chrome Sandbox
    5. Critical bug in Google Chrome – get your update now
    6. New iOS exploit discovered being used to spy on China's Uyghur minority
    7. OpenSSL high-severity bug – affects 1.1.1d, 1.1.1e, 1.1.1f
    8. Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
    9. Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
    10. Windows 10 SMBGhost RCE exploit demoed by researchers
    11. Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it
  8. Ransomware
    1. DoppelPaymer Ransomware hits Los Angeles County city, leaks files
  9. Privacy
    1. Stripe records user movements on its customers' websites
    2. France urges Apple and Google to ease privacy rules on contact tracing
    3. Researchers warn that contact tracing can be misused for surveillance
  10. Malware
    1. New Coronavirus screenlocker malware is extremely annoying
    2. New Android Banking Trojan Targets Spanish, Portuguese Speaking Users
    3. A Malware Researcher’s Guide to Reversing Maze Ransomware
  11. Politics
    1. The Netherlands overheard other countries for years after cracking encryption
  12. OSINT
    1. Who’s Behind the “Reopen” Domain Surge?

Leaks

Hacker leaks 23 million usernames and passwords from Webkinz children's game

A hacker has leaked the usernames and passwords of nearly 23 million players of Webkinz World, an online children's game managed by Canadian toy company Ganz. The Webkinz game launched in 2005 as the online counterpart of a line of Ganz plush toys. Users could enter a code from their plush toy on the Webkinz website where they could play and manage a version of their toy in the form of a virtual pet.

267 million Facebook profiles sold for $600 on the dark web

Threat actors are selling over 267 million Facebook profiles for £500 ($623) on dark web sites and hacker forums. While none of these records include passwords, they do contain information that could allow attackers to perform spear phishing or SMS attacks to steal credentials. Last month, security researcher Bob Diachenko discovered an open Elasticsearch database that contained a little over 267 million Facebook records, with most being users from the United States.

Vianet - 94,353 breached accounts

In April 2020, the Nepalese internet service provider Vianet suffered a data breach. The attack on the ISP led to the exposure of 177k customer records including 94k unique email addresses. Also exposed were names, phone numbers and physical addresses.

Energy Company in Poland Exposed Data of its Customers

On April 16th Bob Diachenko discovered an unprotected and publicly indexed Elasticsearch cluster that contained 3,376,912 records with personally identifiable information (PII). Upon closer examination, database appeared to be part of a cloud environment set up whether by a contractor or a data owner itself, which was Fortum Poland, a subsidiary of Finnish state-owned energy company, with data of their Polish customers.

Phishing

German government might have lost tens of millions of euros in COVID-19 phishing attack

The government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing operation. Cybercriminals created copies of an official website that the NRW Ministry of Economic Affairs had set up to distribute COVID-19 financial aid. Crooks distributed links to their sites using email campaigns, lured users on the sites, and collected details from locals. They then filed requests for government aid on behalf of the real users but they replaced the bank account where funds were to be wired.

Hackers exploit coronavirus lockdown with fake Netflix and Disney+ pages

More than 700 fake websites mimicking Netflix and Disney+ signup pages have been created seeking to harvest personal information from consumers during the coronavirus lockdown streaming boom. Netflix, which is expected to smash its forecast of 7 million new global subscribers when it reports first-quarter results on Tuesday, is the main target as millions of new potential customers seek entertainment while confined to their homes.

FBI warns of COVID-19 phishing targeting US health providers

The U.S. Federal Bureau of Investigation (FBI) warned of ongoing phishing campaigns targeting US healthcare providers using COVID-19 themed lures to distribute malicious attachments. "On 18 March 2020, network perimeter cybersecurity tools associated with US-based medical providers identified email phishing attempts from domestic and international IP addresses," the FBI says in a flash alert coordinated with the DHS Cybersecurity and Infrastructure Security Agency (CISA).

Spearphishing campaigns target oil, gas companies with spyware

Cybercriminals are targeting the oil and gas industry sector with highly targeted spearphishing campaigns impersonating shipment companies and engineering contractors while attempting to infect their targets with Agent Tesla info-stealer malware payloads. Agent Tesla is a .Net-based and commercially available info-stealing program active since at least 2014 that comes with keylogging and remote access Trojan (RAT) capabilities. This info-stealer is also used for collecting system info, for stealing clipboard contents, as well as for killing malware analysis related processes and antivirus solutions.

Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes

FortiGuard Labs has run into a number of unique types of spearphishing lures. For example, one of these targets companies that engage with biomedical firms, and as a result, they may be at risk of losing financial resources, data, or intellectual property. The final payload of this attack is an infostealer named Formbook. Given that this attack is trying to leverage the COVID pandemic, while at the same time having specialized targets, the severity level it carries could potentially be significant if it is able to take critical supply chain organizations offline.

Hoaxes

Facebook Will Warn Users Who 'Liked' Coronavirus Hoaxes

The Associated Press reports that soon Facebook will start warning users who "shared or interacted with dangerous coronavirus misinformation": The new notice will be sent to users who have clicked on, reacted to, or commented on posts featuring harmful or false claims about COVID-19 after they have been removed by moderators. The alert, which will start appearing on Facebook in the coming weeks, will direct users to a site where the World Health Organization lists and debunks virus myths and rumors...

Crime

Hackers steal $25 million worth of cryptocurrency from Uniswap and Lendf.me

Hackers have stolen more than $25 million in cryptocurrency from the Uniswap exchange and the Lendf.me lending platform. The attacks took place over the weekend, on Saturday and Sunday, respectively. Although an investigation is currently underway, the two attacks are believed to be related, and most likely carried out by the same group or individual. According to investigators, hackers appear to have chained together bugs and legitimate features from different blockchain technologies to orchestrate a sophisticated "reentrancy attack." Reentrancy attacks allow hackers to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined.

US Government concerned by cyber attacks on Czech hospitals during COVID19 crisis

US Secretary of State Mike Pompeo expressed concerns for cyber attacks that recently hit Czech hospitals involved in the fight against the Coronavirus. "As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results. Anyone that engages in such an action should expect consequences." read the press release published by the U.S. State Department. "We call upon the actor in question to refrain from carrying out disruptive malicious cyber activity against the Czech Republic's healthcare system or similar infrastructure elsewhere. We also call upon all states not to turn a blind eye to criminal or other organizations carrying out such activity from their territory."

Nintendo accounts are getting hacked and used to buy Fortnite currency

Over the course of the last month, Nintendo users have been increasingly reporting that their accounts have been getting hacked and accessed from remote locations around the globe, with some users losing money as a result of the unauthorized intrusion. The account hijackings appear to have started mid-March and have reached a peak over the weekend when more and more users started receiving email alerts that unknown IP addresses have been seen accessing their Nintendo profiles. The way accounts are getting hacked is currently unknown. It is unclear if hackers are using passwords leaked in data breaches at other sites to also gain access to Nintendo accounts.

Scams

Coronavirus Dark Web Scams: From infected blood to ventilators

The dark web has always been a cesspool of black markets and conspiracy theories, but now with the Coronavirus outbreak, scammers have a new and more desperate audience to target their scams. As organizations and consumers scramble to find protective goods, medical equipment, and cures for the Coronavirus, scammers have begun to promote fake vaccines, sales of N95 masks, and even ventilators on the dark web.

FBI: Extortion scammers more active due to stay-at-home orders

The U.S. Federal Bureau of Investigation (FBI) warned of an increasing number of online extortion scam reports because a lot more people are being targeted due to the "stay-at-home" orders issued during the COVID-19 pandemic. "Because large swaths of the population are staying at home and likely using the computer more than usual, scammers may use this opportunity to find new victims and pressure them into sending money," the alert issued by FBI's Internet Crime Complaint Center (IC3) says.

Zoom

Vulnerability Spotlight: Zoom Communications user enumeration

Cisco Talos disclosed a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization.

Zoom’s security woes were no secret to business partners like Dropbox

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers. The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work.

Vulnerabilities

You Can Now Check If Your ISP Uses Basic Security Measures

For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. On Friday, the company launched Is BGP Safe Yet​, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers.

Chaos Computer Club analysis of Corona app from Robert-Koch-Institut

Chaos Computer Club has written a lengthy report in german about security and privacy issues with the apps written by the public health agency Robert-Koch-Institut. Netzpolitik also commented on this situation in a blog post.

Multiple Vulnerabilities in IBM Data Risk Manager

IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that aggregates and provides a full view of all the enterprise security risks, akin to an electronic risk register. The product receives information feeds from vulnerability scanning tools and other risk management tools, aggregates them and allows a user to investigate them and perform comprehensive analysis. This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root. In addition, two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download are being released to the public. IBM said that they assessed the report and closed it as being out of scope for our vulnerability disclosure program since this product is only for 'enhanced' support paid for by our customers. "A process error resulted in an improper response to the researcher who reported this situation to IBM," the company told BleepingComputer. According to a security advisory, IBM patched the arbitrary file download and command injection vulnerabilities that existed within the IBM Data Risk Manager (IDRM) product versions 2.0.1 and greater.

You Won't Believe what this One Line Change Did to the Chrome Sandbox

James Forshaw from Project Zero has written a blog post documenting a vulnerability introduced in Windows 10 that enabled attackers to escape the Chrome sandbox.

Critical bug in Google Chrome – get your update now

Google just issued a Chrome update with a note that says, "This update includes 1 [critical] security fix." Unfortunately for the curious Chrome user, the long version doesn't say much more. The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren't now means that both the nature of the bug and how to exploit it can easily be deduced from the fix.

New iOS exploit discovered being used to spy on China's Uyghur minority

Security firm Volexity said that it discovered a new iOS exploit that was being used to spy on China's oppressed Uyghur minority. The exploit, which Volexity named Insomnia, works against iOS versions 12.3, 12.3.1, and 12.3.2. Apple patched the iOS vulnerability behind this exploit in July 2019, with the release of iOS version 12.4.

OpenSSL high-severity bug – affects 1.1.1d, 1.1.1e, 1.1.1f

Server or client applications that call the SSL~checkchain~() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature~algorithmscert~" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining

In this article, TrendMicro shows how Redis instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-mining bots and have been discovered to infect other vulnerable instances via their "wormlike" spreading capability.

Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips

Xilinx 7-series and some 6-series FPGAs are discovered to be vulnerable to new Starbleed vulnerability. It's a new security bug that impacts Xilinx FPGA (Field Programmable Gate Arrays) chipsets. Named Starbleed, the bug allows attackers --- with both physical or remote access --- to extract and tamper with an FGPA's bitstream (configuration file) to reprogram the chip with malicious code. Additional details are available in a research paper published last week and titled "The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs."

Windows 10 SMBGhost RCE exploit demoed by researchers

A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 'wormable' pre-auth remote code execution vulnerability was developed and demoed by researchers at Ricerca Security. The security vulnerability, also known as SMBGhost, was found in the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol and it only impacts systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909. For the time being though, Ricerca Security has decided not to share their RCE PoC exploit publicly to avoid having it fall in the wrong hands.

Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it

Jitsi Meet on Docker contained default passwords for important users, which could be abused to run administrative XMPP commands, including shutting down the server, changing the administrative password and loading Prosody modules. We also provide instructions on how to check for this issue if you administer a Jitsi Meet server.

Ransomware

DoppelPaymer Ransomware hits Los Angeles County city, leaks files

The City of Torrance of the Los Angeles metropolitan area, California, has allegedly been attacked by the DoppelPaymer Ransomware, having unencrypted data stolen and devices encrypted. The attackers are demanding a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files. Based on the names of the archives, this data includes city budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager.

Privacy

Stripe records user movements on its customers' websites

Websites that use Stripe to collect payment usually include Stripe's JavaScript library within their application. Integrating it according to Stripe's documentation causes the library to share user tracking data with Stripe throughout the user's browsing session, even on pages that do not interact with Stripe or display payment forms. Stripe does not clearly disclose their collection of this data, and they make it difficult for client applications to limit the library's tracking behavior.

France urges Apple and Google to ease privacy rules on contact tracing

France has become the first country to call publicly for Apple and Google to weaken privacy protections around digital contact tracing, after its government admitted that its current plans would not work without changes to smartphone operating systems. The criticism comes two weeks after a landmark collaboration between the two companies to build technology enabling digital contact tracing apps, which would track contacts between users in an attempt to help slow the spread of Covid-19. The collaboration enables phones from both companies to work together, but also sets strict limits on what data can be sent back to public health authorities. It is those limits that France wants lifted, France's digital minister, Cédric O, said in an interview with Bloomberg News.

Researchers warn that contact tracing can be misused for surveillance

An open dispute has arisen between scientists involved in the development of a technology for Covid 19 contact tracing. Now more than 280 researchers from all over the world signed an open letter in which they expressed their opposition to the technical solution that is currently also being developed by the German Federal Government is favored.

Malware

New Coronavirus screenlocker malware is extremely annoying

A fake WiFi hacking program is being used to distribute a new Coronavirus-themed malware that tries to lock you out of Windows while making some very annoying sounds. Screenlockers are malware programs that display a lock screen when logging into Windows so that you cannot access the Windows desktop or interact with your installed programs and files. This new screenlocker is called 'CoronaLocker' and was discovered by security researcher Max Kersten last week after a friend became infected by a program named 'wifihacker.exe'. When installed, the malware will extract numerous VBS files and a batch file that, when used together, create an annoying screenlocker functionality.

New Android Banking Trojan Targets Spanish, Portuguese Speaking Users

IBM X-Force research recently analyzed a new Android banking Trojan that appears to be targeting users in countries that speak Spanish or Portuguese, namely Spain, Portugal, Brazil and other parts of Latin America. This Trojan, which was created atop an existing, simpler SMSstealer.BR, was supplemented with more elaborate overlay capabilities. At this time, the malware is being spread by messages that lead users to a malicious domain controlled by the attackers. Users are told that they need to download the most recent version of a supposed security app required for mobile banking. If they click to download the update, they unwittingly launch the download from a legitimate file sharing platform.

A Malware Researcher’s Guide to Reversing Maze Ransomware

Bitdefender labs wrote a whitepaper to help researchers reverse engineer the Maze ransomware and shed some light on how Maze performs evasion, exploitation, obfuscation and finally, system encryption.

Politics

The Netherlands overheard other countries for years after cracking encryption

The Dutch intelligence service has been able to read encrypted communications from dozens of countries since the late 1970s thanks to a microchip, according to research by de Volkskrant on Thursday. The Netherlands could eavesdrop on confidential communication from countries such as Iran, Egypt and Saudi Arabia.

OSINT

Who’s Behind the “Reopen” Domain Surge?

The past few weeks have seen a large number of new domain registrations beginning with the word "reopen" and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to "liberate" themselves from new gun control measures and state leaders who've enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here's a closer look at who and what appear to be behind these domains.