Table of Contents

  1. Scams
    1. This is what happens to cryptocurrency paid out in sextortion campaigns
    2. Simple loopholes in Facebook and PayPal helping victims to lose millions in scam
    3. When in Doubt: Hang Up, Look Up, & Call Back
  2. Malware
    1. Hackers have breached 60 ad servers to load their own malicious ads
    2. New Distribution Mechanism for the NanoCore RAT
    3. Coronavirus-themed Campaign delivers Agent Tesla Malware
    4. Malicious APKs share code during Covid-19 pandemic
    5. ESET takes down VictoryGate cryptomining botnet
    6. PinnacleCart Server-Side Skimmers and Backdoors
  3. Vulnerabilities
    1. Smart IoT home hubs vulnerable to remote code execution attacks
    2. You’ve Got 0-Click Mail: Unassisted iOS Attacks RCE via Mobilemail/Maild
    3. CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag
    4. NSA: Hackers exploit these vulnerabilities to deploy backdoors
    5. Critical Vulnerabilities Patched in MapPress Maps Plugin
    6. Getting Root on macOS via 3rd Party Backup Software
  4. Politics
    1. Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage
    2. UK government told not to use Zoom because of China fears
    3. Chinese COVID-19 Disinformation Campaign
    4. US universities targeted with malware used by state-backed actors
  5. Leaks
    1. 400.000 US, South Korean card records put up for sale online
    2. Nintendo says 160,000 users impacted in recent account hacks
    3. Valve reassures gamers after CS:GO and Team Fortress 2 leaks
    4. Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online
    5. Data breach may have exposed personal information of thousands of SBA emergency loan applicants
    6. Stuck at home, UK lockdown DIY fans slammed with Robert Dyas data breach
    7. Genetic Testing Lab Hack Affects 233,000
    8. Fitness App Kinomap Leaks 42 Million Records
  6. Crime
    1. Facebook-NSO lawsuit: Hundreds of WhatsApp attacks linked to one IP address
    2. Studying How Cybercriminals Prey on the COVID-19 Pandemic
    3. Security researcher identifies new APT group mentioned in 2017 Shadow Brokers leak
  7. Phishing
    1. New Study Shows Consumers Could Be Vulnerable to COVID-19 Spam
    2. Phishing attacks target US Payroll Protection Program Loans
    3. This Phish Uses Skype to Target Surging Remote Workers
    4. Customer complaint phishing pushes network hacking malware
    5. Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms
    6. Researchers: 30,000% increase in pandemic-related threats
  8. OSINT
    1. Spotting fake or seized pages the FBI are using in investigations
  9. Ransomware
    1. SeaChange video platform allegedly hit by Sodinokibi ransomware

Scams

This is what happens to cryptocurrency paid out in sextortion campaigns

Spam and phishing emails are a constant plague in our inboxes, but more recently, sextortion campaigns have also appeared on the radar. This particular brand of fraud attempts to capitalize on how some of us view adult content - a personal and private matter, and one of which we would not necessarily want contacts such as friends or family know about, or to become acquainted with our viewing preferences. Often, these emails will claim that someone has been watching you through your webcam at the same time you are watching pornography or live cams. They not only know what you have been watching and when, but have also obtained the contact information of friends, family, and co-workers. Given the adult nature of these threats, some recipients of sextortion emails do fall for this tactic and pay up. But where does the cryptocurrency go? Researchers from SophosLabs, together with analysts from CipherTrace, decided to find out.

Simple loopholes in Facebook and PayPal helping victims to lose millions in scam

One man lost £1800 (about $2,300) after getting caught up in the complex PayPal/Facebook scam. Another woman lost £420 ($450), while yet another victim got taken for £3,800 ($4900). No, they weren't hacked or forced or threatened -- these victims all sent out the money voluntarily to their Facebook friend's bank account, after receiving the same amount in their PayPal accounts. The only problem? The money they received didn't stay in their PayPal accounts for long. Within a few days, all that money was removed from their accounts. And because they sent it via bank transfer, they couldn't get their money back. Turns out their "friend" wasn't really someone they knew at all. It was a hacker that had gotten into their friend's accounts, asking around until they found someone willing to participate in the complicated scheme.

When in Doubt: Hang Up, Look Up, & Call Back

Krebsonsecurity wrote an article explaining how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Malware

Hackers have breached 60 ad servers to load their own malicious ads

A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites. This clever hacking campaign was discovered last month by cyber-security firm Confiant and appears to have been running for at least nine months, since August 2019. Confiant says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.

New Distribution Mechanism for the NanoCore RAT

Bad actors have changed the distribution mechanism for the NanoCore RAT over time. Previously, the NanoCore payload was being distributed via a DOC file with auto executable macros or via a malicious PDF file. Then, it was being distributed via web downloads embedded in spam or phishing emails. Recently, ZScaler wrote about Microsoft PowerPoint files being used to spread NanoCore RAT. Now, they are observing the NanoCore RAT being distributed via web downloads.

Coronavirus-themed Campaign delivers Agent Tesla Malware

While the whole world fights against the COVID-19 pandemic, cybercriminals are busy exploiting the situation and attacking vulnerable users & businesses. In the last few weeks, there has been a rise in Coronavirus-themed malspams, which are being used to deliver a variety of malware. Quick Heal Security Labs have observed Agent Tesla being delivered through such campaigns --- the main motive of these campaigns is to steal sensitive data by capturing keystrokes, taking screenshots, & dumping browser passwords, etc.

Malicious APKs share code during Covid-19 pandemic

Threat actors are exploiting fear and uncertainty to spread Covid-19 themed malicious Android package kits (APKs) onto users' mobile devices. APKs pose a significant risk to end users because of the sensitive personal information and credentials stored on mobile devices. Intezer analyzed a popular APK to see if it shares binary code with other Android malware. This particular sample copies significant portions of code from previous Cerberus, Anubis and Ginp variants. Code reuse appears to be an ongoing trend among malicious Android applications.

ESET takes down VictoryGate cryptomining botnet

Slovak cyber-security firm ESET announced that it took down a malware botnet that infected more than 35,000 computers. According to an ESET press release published, the botnet has been active since May 2019, and most of its victims were located in Latin America, with Peru accounting for more than 90% of the total victim count. Named VictoryGate, ESET said the botnet's primary purpose was to infect victims with malware that mined the Monero cryptocurrency behind their backs.

PinnacleCart Server-Side Skimmers and Backdoors

Researchers from Sucuri found malware on a website powered by PinnacleCart, a web store solution used by many popular websites with hundreds of thousands of monthly visitors.

Vulnerabilities

Smart IoT home hubs vulnerable to remote code execution attacks

On Wednesday, the ESET cybersecurity team said three different hubs - contained bugs dangerous enough to trigger remote code execution (RCE), data leaks, and Man-in-the-Middle (MitM) attacks.

You’ve Got 0-Click Mail: Unassisted iOS Attacks RCE via Mobilemail/Maild

Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018. ZecOps analyzed these events and discovered an exploitable vulnerability affecting Apple's iPhones and iPads. ZecOps detected multiple triggers in the wild to this vulnerability on enterprise users, VIPs, and MSSPs, over a prolonged period of time. The attack's scope consists of sending a specially crafted email to a victim's mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Successfully exploiting the security flaws --- an Out-of-bounds Write (OOB Write) and a Remote Heap Overflow --- enables the attackers to run remote code on the compromised iPhone and iPad devices allowing them to gain access to, leak, edit, and delete emails. "Additional kernel vulnerability would provide full device access -- we suspect that these attackers had another vulnerability," ZecOps further explained.

CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag

A Bluetooth zero-click short-distance RCE exploit against Android 9 was discovered, and got assigned CVE-2020-0022. This article goes through all steps required to establish a remote shell on a Samsung Galaxy S10e, which was working on an up-to-date Android 9 when reporting the issue on November 3, 2019. The initial flaw used for this exploit is still present in Android 10, but this research utilizes an additional bug in Bionic (Android's libc implementation), which makes exploitation way easier.

NSA: Hackers exploit these vulnerabilities to deploy backdoors

The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint report warning of threat actors increasingly exploiting vulnerable web servers to deploy web shells. Web shells are malicious tools that hackers can deploy on a compromised internal or internet-exposed server to gain and maintain access, as well as remotely execute arbitrary commands, deliver additional malware payloads, and pivot to other devices within the network. They can be uploaded onto vulnerable servers in a wide variety of forms, from programs specifically designed to provide web shell features and Perl, Ruby, Python, and Unix shell scripts to app plugins and PHP and ASP code snippets injected within a web app's pages.

Critical Vulnerabilities Patched in MapPress Maps Plugin

On April 1, 2020, the Wordfence Threat Intelligence Team discovered two vulnerabilities in MapPress Maps for WordPress, a WordPress plugin with over 80,000 installations. One vulnerability that allowed stored Cross-Site Scripting (XSS) was present in both the free and pro versions of the plugin, while a far more critical vulnerability that allowed Remote Code Execution (RCE) was present in the pro version. They have reached out to the plugin's author the next day, April 2, 2020 and received a response within a few hours. A patched version of both MapPress Free and MapPress Pro were released within hours.

Getting Root on macOS via 3rd Party Backup Software

Backing up important data is fundamental to cyber hygiene. When disaster strikes, backups are a key protection against data loss. Oftentimes, 3rd party software is used to manage this process. Chris Lyne from Tenable wrote an article about chaining several vulnerabilities in Druva inSync backup software to escalate from normal user to root locally.

Politics

Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China's Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified. While targeting of East Asia is consistent with the activity on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information.

UK government told not to use Zoom because of China fears

Government and parliament were told by the intelligence agencies last week not to use the videoconferencing service Zoom for confidential business, due to fears it could be vulnerable to Chinese surveillance. The quiet warnings to limit the technology came after the cabinet had used Zoom to hold a well-publicised meeting at the end of March, a decision that was defended at the time as necessary in "unprecedented circumstances". Parliament was advised last week by the National Cyber Security Centre, part of intelligence agency GCHQ, that Zoom should only be used for public business.

Chinese COVID-19 Disinformation Campaign

"They will announce this as soon as they have troops in place to help prevent looters and rioters," warned one of the messages, which cited a source in the Department of Homeland Security. "He said he got the call last night and was told to pack and be prepared for the call today with his dispatch orders." The messages became so widespread over 48 hours that the White House's National Security Council issued an announcement via Twitter that they were "FAKE." Since that wave of panic, United States intelligence agencies have assessed that Chinese operatives helped push the messages across platforms, according to six American officials, who spoke on the condition of anonymity to publicly discuss intelligence matters. The amplification techniques are alarming to officials because the disinformation showed up as texts on many Americans' cellphones, a tactic that several of the officials said they had not seen before.

US universities targeted with malware used by state-backed actors

Faculty and students at several U.S. colleges and universities were targeted in phishing attacks with a remote access Trojan (RAT) previously used by Chinese state-sponsored threat actors. The malware used in this mid-sized is the Hupigon RAT, a RAT well-known for being employed by Chinese APTs such as APT3 (also tracked as Gothic Panda, UPS, and TG-011 and active since at least 2010) during multiple campaigns.

Leaks

400.000 US, South Korean card records put up for sale online

Details on roughly 400,000 payment cards related to US and South Korean financial organizations and banks are currently up for sale on Joker's Stash, the largest carding shop on the Internet. The seller of this huge card dump put a $1,985,835 price tag on the full set, for a median price of $5 per record, and says that the buyers should expect a validity rate of around 30-40%.

Nintendo says 160,000 users impacted in recent account hacks

Japanese gaming company Nintendo confirmed that hackers gained unauthorized access to around 160,000 user accounts since the start of the month. Through a statement, the company responded to a wave of user complaints that started surfacing over last weekend. Nintendo confirmed that a credential stuffing attack isn't the source of its recent troubles. Instead, the gaming company says hackers abused its NNID integration. NNID stands for Nintendo Network ID, which is a legacy login system, used to manage accounts on the old Wii U or Nintendo 3DS platforms.

Valve reassures gamers after CS:GO and Team Fortress 2 leaks

The source code of Valve's Team Fortress 2 and Counter-Strike: Global Offensive games was leaked and published on the Internet for anyone to download. The initial report made by Steam Database on Twitter says that the leaked source code is dated 2017/2018. Per the same report, Valve previously made available the TF2 and CS:GO source code to Source engine licensees. After being accused of being the one behind the leak, Valve News Network founder Tyler McVicker claimed during a live Q&A on Twitch that a person he knows is responsible and that the source code was leaked in a 4Chan thread. "The Code that has leaked today originally leaked back in late 2018, which I was aware of, and contacted Valve to warn them about," he said on Twitter. Valve confirmed the leak in an official statement sent to BleepingComputer and is asking gamers to keep playing as there is no reason to be alarmed (the CS:GO team also tweeted the same statement).

Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online

Unknown activists have posted nearly 25,000 email addresses and passwords allegedly belonging to the National Institutes of Health, the World Health Organization, the Gates Foundation and other groups working to combat the coronavirus pandemic, according to the SITE Intelligence Group, which monitors online extremism and terrorist groups. While SITE was unable to verify whether the email addresses and passwords were authentic, the group said the information was released Sunday and Monday and almost immediately used to foment attempts at hacking and harassment by far-right extremists. An Australian cybersecurity expert, Robert Potter, said he was able to verify that the WHO email addresses and passwords were real.

Data breach may have exposed personal information of thousands of SBA emergency loan applicants

The personal information of thousands of small businesses applying for federal disaster loans was potentially exposed to other applicants, marking the latest glitch in the rollout of government programs designed to help companies crippled by the coronavirus pandemic. Nearly 8,000 applicants to the Economic Injury Disaster Loan program (EIDL) --- a long-standing program run by the Small Business Administration (SBA) --- may have been affected. In a statement, the SBA said that it "immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal."

Stuck at home, UK lockdown DIY fans slammed with Robert Dyas data breach

For 23 days, starting on March 7 and ending March 30, a card skimmer was operational on the Robert Dyas' website, according to an email sent to customers and obtained by The Register. Robert Dyas provides DIY and home improvement products, gardening tools, and electricals. Customers that ordered these types of goods through the company's website between these dates may have had their payment details stolen, including card numbers, expiry dates, and CVV security codes. In addition, customer names and addresses may have been taken. Robert Dyas became aware of the intrusion on March 30 and remove the malicious code. Up to 20,000 customers are embroiled in the security incident.

Genetic Testing Lab Hack Affects 233,000

A California-based genetic testing laboratory has reported an email hacking incident that may have exposed medical information on nearly 233,000 individuals. It's the second-largest health data breach posted to the federal health data breach tally so far in 2020.

Fitness App Kinomap Leaks 42 Million Records

An unsecured online database is to blame for yet another major privacy incident after fitness tech company Kinomap accidentally leaked 42 million records including personal identity data (PII). Researchers at vpnMentor found the wide-open data trove as part of an ongoing web mapping project.

Crime

Facebook-NSO lawsuit: Hundreds of WhatsApp attacks linked to one IP address

In court documents, Facebook said it linked 720 instances of attacks against WhatsApp users to one single IP address. The attacks were carried out against WhatsApp users in the spring of 2019. The exploit used in the attack was a zero-day in the WhatsApp VoIP feature. Facebook sued NSO last year for developing the exploit and making it available to its customers (foreign governments), who then used it to hack WhatsApp users. This included more than 1,400 users, according to Facebook count, and included the likes of attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials. The exploit had the ability to infect a phone with the Pegasus malware, which then pinged NSO command and control servers for instructions on what commands to execute and what data to steal.

Studying How Cybercriminals Prey on the COVID-19 Pandemic

Unit 42 researchers found an immense increase in coronavirus-related Google searches and URLs viewed since the beginning of February. Cybercriminals are looking to profit from such trending topics, disregarding ethical concerns, and in this particular case preying on the misfortunes of billions. Unit 42 researchers monitor user interest in trending topics and newly registered domain names related to these topics, as miscreants often leverage them for malicious campaigns. Accompanying the growth in user interest, they observed a 656% increase in the average daily coronavirus-related domain name registrations from February to March. In this timeframe, they witness a 569% growth in malicious registrations, including malware and phishing; and a 788% growth in "high-risk" registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs within the domain or utilization of bulletproof hosting. As of the end of March, they identified 116,357 coronavirus-related newly registered domain names. Out of these, 2,022 are malicious and 40,261 are "high-risk".

Security researcher identifies new APT group mentioned in 2017 Shadow Brokers leak

Three years and eight days ago, on April 14, 2017, a mysterious group of hackers known as the Shadow Brokers published a collection of hacking tools that ended up changing the internet forever. Known as the "Lost in Translation" dump, this collection of files included tens of hacking tools and exploits stolen from the US National Security Agency (NSA), exploits that many believed the US was using to hack other countries. Named "sigs.py" one file is what many consider a treasure trove of cyber-espionage operations and threat intelligence. It contained 44 signatures to detect files (hacking tools) deployed by other hacking groups, numbered from #1 to #45, with #42 missing. To this day, three years later, 15 signatures from the sigs.py file still remain without attribution, showing how the NSA still has superior insight into foreign hacking operations compared to many cyber-security vendors today. However, in a presentation at the OPCDE virtual cyber-security summit, a security researcher has uncovered a new APT - the one sitting behind signature #37. Guerrero-Saade published an in-depth report on his personal blog.

Phishing

New Study Shows Consumers Could Be Vulnerable to COVID-19 Spam

Since the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic on March 11, IBM X-Force has observed a more than 6,000 percent increase in COVID-19-related spam, with lures ranging the full gamut of challenges and concerns facing individuals --- from phishing emails impersonating the Small Business Administration (SBA) and the WHO to U.S. banking institutions offering relief funds. The study illustrated the increased risk that these spam campaigns present, revealing that over half of respondents would engage with these types of emails. In fact, 64 percent of adults who are recently unemployed would be most likely to engage with an email related to their stimulus relief eligibility.

Phishing attacks target US Payroll Protection Program Loans

With hundreds of thousands of small businesses in the USA anxiously awaiting news about their submitted Payroll Protection Program SBA loans, threat actors are sending phishing emails that prey on their anxiety to steal email accounts. On April 3rd, as part of the CARES act, the U.S. government launched the Payroll Protection Program (PPP) SBA loan program that allows small business owners to apply for a low-interest loan. For companies that utilize this loan for payroll, it will be forgiven by the US government. With its launch, though, many banks were not able to get running quickly enough, and it left many small business owners unable to submit applications or receive loans before the initial $350 billion ran out. In a new phishing campaign discovered by Abnormal Security, attackers are sending out emails that pretend to be from a CARES act representative who needs a signature on a "PPP~CARESSignaturePG1~-2" document for the Payroll Protection Program.

This Phish Uses Skype to Target Surging Remote Workers

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users' inboxes. With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. Researchers recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Customer complaint phishing pushes network hacking malware

A new phishing campaign is underway that targets a company's employees with fake customer complaints that install a new backdoor used to compromise a network. For the past two weeks, researchers have been receiving fake emails pretending to be from their company's "Corporate Lawyer". These emails utilize subjects like "Re: customer complaint in [insert company name]" or "Re: customer complaint for [recipient name]" and state that the recipient's employer has received a customer complaint about them. Due to this, the employee will be fined and have the amount deducted from their salary.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

Cofense has detected a new phishing campaign claiming to be from HR team, and redirecting users to trusted domains like office sway, SharePoint, Office 365, that are actually designed to steal user's credentials.

Researchers: 30,000% increase in pandemic-related threats

An increase of 30,000% in pandemic-related malicious attacks and malware was seen in March by security researchers at cloud security firm Zscaler when compared to the beginning of 2020 when the first threats started using COVID-19-related lures and themes. On any given day, Zscaler's cloud security products are processing more than 100 billion transactions from over 4,000 enterprise customers, with 400 of them being on Forbes' Global 2000 list of the world's largest public companies. Roughly 380,000 malicious attacks and malware were detected during March 2020 said Deepen Desai, VP Security Research & Operations at Zscaler, in a blog post.

OSINT

Spotting fake or seized pages the FBI are using in investigations

While investigating Google Analytics IDs, a researcher has stumbled upon many shady websites that use the same ID as the fbi.gov website.

Ransomware

SeaChange video platform allegedly hit by Sodinokibi ransomware

A leading supplier of video delivery software solutions is reportedly the latest victim of the Sodinokibi Ransomware, who has posted images of data they claim to have stolen from the company during a cyberattack. In an update to their data leak site, Sodinokibi (REvil) has created a new victim page for SeaChange where they have published images of some documents that they have stolen during an alleged attack.