Table of Contents

  1. Malware
    1. Hacking group used Google Play Store to push spyware for years
    2. First Seen In the Wild – Mobile as Attack Vector Using MDM
    3. Microsoft warns of malware surprise pushed via pirated movies
    4. Rogue affiliates are running fake antivirus expiration scams
    5. New Android malware steals financial information, bypasses 2FA
    6. Compromised WordPress Sites Used to Distribute the Adwind RAT
  2. Vulnerabilities
    1. GitLab awards researcher $20,000, patches remote code execution bug
    2. Google discloses zero-click bugs impacting several Apple operating systems
    3. Ninja Forms WordPress plugin patch prevents takeover of 1M sites
    4. Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update
    5. Fooling NLP Systems Through Word Swapping
    6. Exploiting Feedback Hub in Windows 10
  3. Crime
    1. Estonia: Foreign hackers breached local email provider for targeted attacks
    2. Over 275 days since Equifax’s data breach settlement and no one has been paid
    3. Hackers say they stole millions of credit cards from Banco BCR
  4. Leaks
    1. Two Usenet providers blame data breaches on partner company
    2. LabCorp Shareholder Sues Company Over Data Breaches
    3. Alabama Department of Labor fixes app after personal information revealed
  5. Privacy
    1. Xiaomi Recording ‘Private’ Web and Phone Use
    2. Quibi, JetBlue and Others Gave Away Email Addresses, Report Says
    3. US Senator Wants To Know Which Federal Authorities Are Using Clearview AI To Track the Coronavirus
    4. US govt agencies to disable DoH until federal service is ready
    5. Documents reveal FBI head defended encryption for WhatsApp before becoming fierce critic
    6. NSA security guide: How to choose safe conferencing and collaboration tools
    7. Numerous sites leak user emails to advertising, analytics services
    8. India makes government tracing app mandatory for all workers
  6. Phishing
    1. Microsoft Sway abused in PerSwaysion spear-phishing operation
    2. New phishing campaign packs an info-stealer, ransomware punch
    3. Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers

Malware

Hacking group used Google Play Store to push spyware for years

A malicious campaign dubbed PhantomLance has been targeting users of Android devices with spyware payloads embedded in applications delivered via multiple platforms including Google's Play Store and alternative Android app stores such as APKpure and APKCombo. According to a report published by Kaspersky researchers, PhantomLance overlaps with previous campaigns targeting Windows and macOS attributed to OceanLotus, an advanced persistent threat group also tracked as APT32 and believed to be Vietnam-based.

First Seen In the Wild – Mobile as Attack Vector Using MDM

Check Point researchers discovered a new Cerberus variant which is targeting a multinational conglomerate, and is distributed by the company's Mobile Device Manager (MDM) server. This malware has already infected over 75% of the company's devices. Once installed, this Cerberus variant can collect large amounts of sensitive data, including user credentials, and send it to a remote command and control (C&C) server.

Microsoft warns of malware surprise pushed via pirated movies

Pirate streaming services and movie piracy sites have seen a huge surge of incoming traffic during the COVID-19 pandemic with most people now having to stay inside due to shelter in place and lockdown orders. Microsoft warns that malicious actors are taking advantage of this trend trying to infect potential victims with malware delivered via fake movie torrents. "With lockdown still in place in many parts of the world, attackers are paying attention to the increase in use of pirate streaming services and torrent downloads," the Microsoft Security Intelligence team said.

Rogue affiliates are running fake antivirus expiration scams

Rogue security software affiliates are sending emails that falsely tell recipients that their antivirus software is expiring and then prompt them to renew their license so that the affiliate can earn a commission from the sale. A software affiliate is a third-party that refers visitors to a software company to earn a commission from the sale of their software. Over the past week, BleepingComputer became aware of scam emails being sent that tell recipients that their Norton and McAfee antivirus software is expiring that day and prompting them to renew their license.

New Android malware steals financial information, bypasses 2FA

A new banking Trojan can steal financial information from Android users across the United States and several European countries, including the UK, Germany, Italy, Spain, Switzerland, and France. Dubbed EventBot by researchers at Cybereason Nocturnus who discovered it in March 2020, the malware is a mobile banking Trojan and "infostealer" designed to abuse the Android operating system's accessibility features to steal sensitive financial data. "EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets," the Cybereason Nocturnus researchers found.

Compromised WordPress Sites Used to Distribute the Adwind RAT

With more than 60 million websites, including 33.4 percent of the top 10 million global websites, built on the WordPress platform, it is big news when a new attack aimed at this popular tool surfaces. The Zscaler ThreatLabZ team recently noticed another campaign targeting WordPress sites. This blog post describes two aspects of this campaign. The first part describes the intelligence information gathered from this campaign, which was used for threat attribution. The second part explains in detail all the steps used for decrypting the multiple layers of encryption that were used to protect the final payload.

Vulnerabilities

GitLab awards researcher $20,000, patches remote code execution bug

GitLab has awarded a cybersecurity researcher $20,000 for reporting a serious remote code execution vulnerability on the platform. Discovered by William "vakzz" Bowling, a programmer and bug bounty hunter, the vulnerability was privately disclosed through the HackerOne bug bounty platform on March 23. Bowling said that GitLab's UploadsRewriter function, used to copy files, was the source of the critical security issue.

Google discloses zero-click bugs impacting several Apple operating systems

When it comes to managing multimedia files, all operating systems work the same. Any new multimedia file - image, audio, video - that reaches a device is automatically transferred to a local OS library that parses the file to know what it is and what to do with it next. From an attacker's perspective, bugs in multimedia processing components are the ideal attack surface, as they don't need any user interaction before having the ability to run code on a remote device/OS. All an attacker has to do is find a way to send a malformed multimedia file to a device, wait until the file is processed, and until the exploit code triggers. In a report published by Project Zero, Google's elite bug-hunting team, said they looked at one of Apple's multimedia processing components, which is most likely to be an attractive attack surface for any threat actor needing a way to silently hack an Apple user. More specifically, Project Zero researchers looked at Image I/O, a framework that's built into all Apple operating systems and is tasked with parsing and working with image files.

Ninja Forms WordPress plugin patch prevents takeover of 1M sites

The developers of Ninja Forms, a WordPress plugin with more than 1 million installations, have fixed a high severity security vulnerability that can let attackers inject malicious code and take over websites using an unpatched version of the plugin. The vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (Stored XSS) attacks and it affects all Ninja Forms versions up to 3.4.24.2. Attackers can exploit this Ninja Forms bug by tricking WordPress admins into clicking specially crafted links that inject malicious JavaScript code as part of a newly-imported contact form.

Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update

WordPress Core version 5.4.1 has just been released. Since this release is marked as a combined security and bug fix update, it's recommended to update as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that appear to require specific circumstances to exploit. All in all this release contains 7 security fixes, 5 of which are XSS (Cross-Site Scripting) vulnerabilities. Both the Free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.

Fooling NLP Systems Through Word Swapping

MIT researchers have built a system that fools natural-language processing systems by swapping words with synonyms. The software, developed by a team at MIT, looks for the words in a sentence that are most important to a NLP classifier and replaces them with a synonym that a human would find natural. For example, changing the sentence "The characters, cast in impossibly contrived situations, are totally estranged from reality" to "The characters, cast in impossibly engineered circumstances, are fully estranged from reality" makes no real difference to how we read it. But the tweaks made an AI interpret the sentences completely differently.

Exploiting Feedback Hub in Windows 10

Feedback Hub is a feature in Windows 10 which allows users to report problems or suggestions to Microsoft. It relies on the "diagtrack" service, running as SYSTEM, or better known as "Connected User Experiences and Telemetry". When the Feedback Hub gathers info in order to send them to MS, it does a lot of file operations, most of them performed by the SYSTEM user. It turns out that this application and the related services/executables which are run during the collection have a lot of logical bugs which can be exploited by "Directory Junctions" or Symbolic links via RPC Control.

Crime

Estonia: Foreign hackers breached local email provider for targeted attacks

State-sponsored hackers have used a zero-day vulnerability to hijack a few high-profile email accounts at Estonian email provider Mail.ee. The attacks took place last year and the vulnerability in Mail.ee's service has been fixed. This said the Estonian Internal Security Service (KaPo) in an end-of-year report published this month. "This vulnerability was only exploited [against] a small number of email accounts belonging to persons of interest to a foreign country," KaPo said, without naming the victims. The agency said the attacks took place with the help of malicious code hidden in emails sent to Mail.ee recipients.

Over 275 days since Equifax’s data breach settlement and no one has been paid

Last year, credit reporting agency Equifax was rocked by a massive data breach affecting most (56%) Americans. The company agreed to one of the largest settlements of its kind, $700M to be disbursed, covering identity protection monitoring services and direct cash payments to help those whose data had been stolen. Many of you probably read some of these headlines in the summer of 2019, and many more still filled out the forms after promises of up to $125 per afflicted party. There were several deadlines and additional hoops people had to jump through, but 275 days later: no one has been paid yet, and it's not clear if they ever will be. It's been almost three times that time (800+ Days) since the breach itself actually occurred in Q3 of 2017.

Hackers say they stole millions of credit cards from Banco BCR

Hackers claim to have gained access to the network of Banco BCR, the state-owned Bank of Costa Rica, and stolen 11 million credit card credentials along with other data. This attack was allegedly conducted by the operators of the Maze Ransomware, who have been behind numerous cyberattacks against high-profile victims such as IT services giant Cognizant, cyber insurer Chubb, and drug testing facility Hammersmith Medicines Research LTD. On their data leak site, the hackers claim to have gained access to Banco BCR's network in August 2019, but did not proceed with encrypting the devices as "the possible damage was too high."

Leaks

Two Usenet providers blame data breaches on partner company

Two companies that provide Usenet services have disclosed security breaches. The two companies, UseNeXT and Usenet.nl, blamed the breaches on a security vulnerability at a partner company. Neither UseNeXT nor Usenet.nl have named the third-party company whose software enabled the intrusion. It is unclear if this is referring to an Usenet desktop client or a server-side service.

LabCorp Shareholder Sues Company Over Data Breaches

A shareholder has filed a lawsuit against LabCorp and 12 of its executives and directors - including the medical testing company's CIO - over two data breaches, including the 2019 breach of one of its vendors, American Medical Collection Agency, which affected millions of patients. In the lawsuit filed on April 23, shareholder Raymond Eugenio alleges that Burlington, N.C.-based LabCorp's leadership failed to address cybersecurity weaknesses and adequately notify breach victims and shareholders about the two incidents. The lawsuit seeks to hold LabCorp's leadership accountable for "damages" sustained by the company due to the breaches and force the company to make changes in its "governance and internal procedures" to prevent future breaches.

Alabama Department of Labor fixes app after personal information revealed

The problem involved the Alabama Labor Department's Unemployment Insurance Claim Tracker and a newly launched Pandemic Unemployment Assistance app on its website. The app is designed to process claims faster. When Rhonda Jones tried to view her daughter's documents that she uploaded, she saw someone else's tax return, which included their name, social security number, address, bank account number, bank routing number, and how much money that person made. The department's technical team shut the app down and fixed the problem within 30 minutes. The department also notified others on their Facebook page.

Privacy

Xiaomi Recording ‘Private’ Web and Phone Use

A security researcher has analyzed Xiaomi devices and found out that it collects an astonishing amount of data from its users. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode. And there appear to be issues with how Xiaomi is transferring the data to its servers. Though the Chinese company claimed the data was being encrypted when transferred in an attempt to protect user privacy, the researcher found he was able to quickly see just what was being taken from his device by decoding a chunk of information that was hidden with a form of easily crackable encoding, known as base64. It took Cirlig just a few seconds to change the garbled data into readable chunks of information.

Quibi, JetBlue and Others Gave Away Email Addresses, Report Says

Millions of people gave their email addresses to Quibi, JetBlue, Wish and other companies - and those email addresses got away. They ended up in the hands of advertising and analytics companies like Google, Facebook and Twitter, leaving the people with those email addresses more easily targeted by advertisers and able to be tracked by companies that study shopping behavior, according to a report published on Wednesday. The customers unwittingly exposed their email addresses when signing up for apps or clicking on links in marketing emails, said the researcher Zach Edwards, who runs the digital strategy firm Victory Medium. In the report, he described the giveaway of personal data as part of a "sloppy and dangerous growth hack." Mr. Edwards, a contributor to a recent study that examined potential privacy violations by dating services like Grindr and OkCupid, wrote in the new report that one of the "most egregious" leaks involved Quibi, a short-form video platform based in Los Angeles that is run by the veteran executives Jeffrey Katzenberg and Meg Whitman. Quibi went live on April 6, long after new data privacy regulations went into effect in Europe and California. People who downloaded the Quibi app were asked to submit their email addresses. Then they received a confirmation link. Clicking on the link made their email addresses available to Google, Facebook, Twitter and Snapchat, according to the report.

US Senator Wants To Know Which Federal Authorities Are Using Clearview AI To Track the Coronavirus

Clearview AI, the facial recognition company that claims to have scraped over 3 billion photos from social media to power its face-matching tool, is now facing questions from Massachusetts Sen. Ed Markey about recent claims that it's developing a digital contact tracing tool for COVID-19, the disease caused by the novel Coronavirus. Clearview AI CEO Hoan Ton-That claimed in a recent NBC interview that the company is in talks with "federal and state" authorities about developing a tool that would use facial recognition to track where a person diagnosed with COVID-19 has traveled and whom they may have come in contact with. Clearview has not identified any of these authorities nor the length of the agreements or contracts it has signed or is seeking. It's also unclear how Clearview's facial recognition tools would aid in contact tracing efforts or how the company would obtain pictures of people diagnosed with the disease and track their movements at scale.

US govt agencies to disable DoH until federal service is ready

US government agencies' chief information officers were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready. Until then, agencies were reminded that they are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on devices connected to federal agency networks, although the Cybersecurity and Infrastructure Security Agency (CISA) encourages vendors' current efforts to make network traffic encryption the default choice for users. E3A provides a DNS sink holing service, which automatically protects users by blocking their access to malicious infrastructure by overriding public DNS records identified as harmful. This DNS resolver service also provides CISA with "insight into DNS requests made from agency networks."

Documents reveal FBI head defended encryption for WhatsApp before becoming fierce critic

Christopher Wray, the FBI director who has been one of the fiercest critics of encryption under the Trump administration, previously worked as a lawyer for WhatsApp, where he defended the practice, according to new court filings. The documents, which were released late on Wednesday night as part of an unrelated matter, show Wray worked for WhatsApp in 2015 while he was an attorney for the Washington law firm of King & Spalding. While there are sparse details about the precise nature of the work, the filings indicate that Wray strongly defended the need for end-to-end encryption in his previous representation of WhatsApp, the popular messaging application owned by Facebook.

NSA's security guide: How to choose safe conferencing and collaboration tools

The US National Security Agency (NSA) published a security assessment of today's most popular video conferencing, text chatting, and collaboration tools. The guidance contains a list of security criteria that the NSA hopes companies take into consideration when selecting which telework tool/service they want to deploy in their environments.

Numerous sites leak user emails to advertising, analytics services

Multiple online services and products are leaking email data belonging to their users to third-party advertising and analytics companies, shows a research published today. Websites mentioned in the report include Quibi.com, JetBlue.com, KongHQ.com, NGPVan.com, Mailchimp's Mandrill.com, WashingtonPost.com, Wish.com. Between them, there are hundreds of millions of emails.

India makes government tracing app mandatory for all workers

India has mandated that all public and private sector employees use a government-backed Bluetooth tracing app and maintain social distancing in offices as New Delhi begins easing some of its lockdown measures in lower-risk areas. Prime Minister Narendra Modi's government on Friday said India - the country with the largest number of people in lockdown - would extend its nationwide control measures for another two weeks from Monday to battle the spread of the Coronavirus that causes the COVID-19 illness, but allow "considerable relaxations" in lower-risk districts. As part of its efforts to fight the deadly virus, India last month launched the app Aarogya Setu - meaning Health Bridge - a Bluetooth and GPS-based system developed by the country's National Informatics Centre. The app alerts users who may have come in contact with people later found to be positive for COVID-19 or deemed to be at high risk.

Phishing

Microsoft Sway abused in PerSwaysion spear-phishing operation

Multiple threat actors running phishing attacks on corporate targets have been counting on Microsoft Sway service to trick victims into giving their Office 365 login credentials. Named PerSwaysion by security researchers, the campaign relies on a phishing kit offered in a malware-as-a-service (MaaS) operation and is a well-planned endeavor. Apart from access to corporate email accounts, scammers also get sensitive business data, which opens a wide range of money-making possibilities. They can run financial scams, sell information to other actors, or profit from secret trading strategies. Security researchers at Singapore-based cyber security company Group-IB discovered the campaign during an incident response in the first quarter of the year and named it PerSwaysion because of "the extensive abuse of Sway service." SharePoint and OneNote services are also used, but to a lower degree. Microsoft Sway is a storytelling app that allows creating interactive communications (reports, presentations, stories, newsletters).

New phishing campaign packs an info-stealer, ransomware punch

A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware. By using this malware combo, the attackers first steal saved user names and passwords stored in a variety of applications and then deploy the Jigsaw Ransomware to try to get a small ransom to sweeten the attack.

Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers

FortiGuard Labs has discovered a new malicious spear-phishing campaign, once again using the COVID-19/Coronavirus pandemic as a lure. This latest email campaign targets a medical device supplier, wherein the attacker is inquiring about various materials needed to address the COVID-19 pandemic due to high demand for supplies. It includes a compelling statement that they have already tried to reach the recipient via telephone in order to create a stronger sense of urgency.