Table of Contents

  1. Privacy
    1. Redditor finds unsecured surveillance cameras seemingly placed by US government
  2. Ransomware
    1. Ransomware now demands extra payment to delete stolen files
    2. ATT&CKing ProLock Ransomware
    3. Hackers preparing to launch ransomware attacks against hospitals arrested in Romania
  3. Malware
    1. Kwampirs malware: what it is, how it works and how to prevent it
    2. Mandrake – owning Android devices since 2016
    3. QNodeService: Node.js Trojan Spread via Covid-19 Lure
    4. New COMpfun malware variant gets commands from HTTP error codes
    5. Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways
    6. Glupteba Campaign that Exploits MikroTik Routers Still at Large
  4. Vulnerabilities
    1. Google WordPress plugin bug can be exploited for black hat SEO
    2. Zerodium stopped accepting new iOS 0-days
    3. Security Flaws in Adobe Acrobat Reader Allow Gaining Root on macOS Silently
    4. Planes can be remotely controlled by hackers
  5. Breaches
    1. The Unattributable "db8151dd" Data Breach
    2. Interserve Hit by Data Breach; 100,000 Employee Records Stolen
  6. APT
    1. Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
    2. Open-sourcing new COVID-19 threat intelligence
  7. Crime
    1. UK electricity middleman hit by cyber-attack
    2. France passes law forcing online platforms to delete hate-speech within 24 hours
    3. Scammers steal $10 million from Norway's state investment fund

Privacy

Redditor finds unsecured surveillance cameras seemingly placed by US government

A Redditor found hidden cameras installed by what looks like government agencies, and they were not even password protected.

Ransomware

Ransomware now demands extra payment to delete stolen files

A ransomware family has begun a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom not to publish files stolen in an attack. For years, ransomware operators have been claiming to steal data before encrypting a company's network and then threatening to release the data if a victim does not pay. It wasn't until November 2019, though, that the Maze ransomware operators actually followed through with this threat and publicly released stolen files. Since then, almost all network-targeting ransomware families such as Maze, Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker have adopted this practice and have created "leak" sites where they publish the stolen data of non-paying victims. In a new leak site created by the operators of the Ako Ransomware, the threat actors indicate that some companies are required to pay both a ransom payment for the decryptor and a separate amount to delete stolen files.

ATT&CKing ProLock Ransomware

This post is analyzing the ProLock Ransomware, and mapping its main tactics, techniques and procedures (TTPs).

Hackers preparing to launch ransomware attacks against hospitals arrested in Romania

Law enforcement in Romania arrested a group of individuals that were planning ransomware attacks against healthcare institutions in the country. Three were arrested in Romania and a fourth in the Republic of Moldova after executing home search warrants. Ironically, the group operated under the name PentaGuard Hackers Crew. In a press release, the Romania's Directorate for Investigating Organized Crime and Terrorism (DIICOT) said that the group was formed at the beginning of the year and stored on their computers a variety of malicious tools. Authorities say that PentaGuard had file-encrypting malware, remote access Trojans (RATs), tools for SQL injection and website defacement attacks.

Malware

Kwampirs malware: what it is, how it works and how to prevent it

Supply chain compromise has become more of a concern as of late, with the appearance of COVID-19 affecting many industries --- especially healthcare. Attack groups are taking advantage of this vulnerability of modern society by targeting the supply chain of ICS firms, healthcare, IT and other critical infrastructure industries. One such malware, known as Kwampirs, has been observed using supply chain compromise during this time of crisis. Kwampirs has been taken so seriously by the FBI that they have issued multiple alerts warning impacted industries of its risk. This article details Kwampirs and explore what it is, how it works and how to prevent Kwampirs from impacting your organization.

Mandrake – owning Android devices since 2016

BitDefender has identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least 4 years. It was named Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. Briar, Ricinus or Nerium. Unlike run-of-the-mill malware, Mandrake puts in significant effort NOT to infect victims. It cherry-picks a handful of devices it gets installed on for further exploitation. This is likely because its operators know that they increase their chances of being called out with every device they infect, so they have instructed the malware to avoid countries where compromised devices won't bring them any return of interest.

QNodeService: Node.js Trojan Spread via Covid-19 Lure

TrendMicro researchers recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, "Company PLP~Tax~ relief due to Covid-19 outbreak CI+PL.jar", suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this Trojan is dubbed as "QNodeService". The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software. The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal.

New COMpfun malware variant gets commands from HTTP error codes

A new COMpfun remote access Trojan (RAT) variant controlled using uncommon HTTP status codes was used in attacks targeting European diplomatic entities. This malware was first spotted and analyzed by G-Data in 2014, while another Trojan featuring "strong code similarities" capable of carrying out man-in-the-middle (MitM) attacks on encrypted traffic was discovered by Kaspersky in 2019, which later dubbed it Reductor. Even though G-Data did not attribute COMpfun to any specific malware author, Kaspers associates it "with the Turla APT with a medium-to-low level of confidence" based on the victims its operators are targeting.

Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways

Unit 42 Researchers have come across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symnatec Secure Web Gateway 5.0.2.8, which became end-of-life in 2015.

Glupteba Campaign that Exploits MikroTik Routers Still at Large

Although the Glupteba Trojan is classified as a dropper, it has the ability to steal information from infected systems. In addition, it uses lateral propagation to spread over the network, has the capability to install a miner, and can download a component that is able to control routers and relay traffic. Furthermore, it seems that this malware is under active development, and its creators are employing dangerous and rarely used techniques to keep their creation active. Zscaler has published an article detailing the techniques used in the latest campaign.

Vulnerabilities

Google WordPress plugin bug can be exploited for black hat SEO

A critical bug found in Google's official WordPress plugin with 300,000 active installations could allow attackers to gain owner access to targeted sites' Google Search Console. Site Kit is a WordPress plugin designed by Google to help site owners to gain insight on how their visitors use and find their website via official stats collected from multiple Google tools and displayed directly in the WordPress dashboard. The plugin also makes it easier to set up and configure key Google products such as the Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense. As Wordfence details, the bug is caused by the disclosure of the proxySetupURL within the HTML source code of admin pages, a URL used to connect the Site Kit plugin to the Google Search Console through Google OAuth.

Zerodium stopped accepting new iOS 0-days

Zerodium announced that they will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors. Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.

Security Flaws in Adobe Acrobat Reader Allow Gaining Root on macOS Silently

Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities (CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) reported by Yuebin Sun. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS (with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware.

Planes can be remotely controlled by hackers

Almost all of the world's planes are currently grounded, but getting them back up into the air will require more than the easing of lockdown restrictions worldwide. New research by threat researchers Pen Test Partners uncovers a worrying flaw in the collision detection systems that control aircraft while they're mid-flight. According to the researchers, nefarious hackers could force aircraft to move against their own will by spoofing the plane's Traffic Alert & Collision Avoidance System (TCAS), which ensures it doesn't come into contact with other airborne craft during a flight. The TCAS system uses transponders to scan the horizon for other planes, and communicates data between them -- making sure to change course if it forecasts that it could collide with another plane. But it's easy to spoof the system and create a fake TCAS contact, pumping out information that claims a plane is flying in the path of an aircraft, causing the real plane to have to take evasive action.

Breaches

The Unattributable "db8151dd" Data Breach

Troy Hunt wrote an article about a data breach that was found on an unprotected elasticsearch server, and contains 90GB of personal information, but without any clue where the data comes from and who was the owner.

Interserve Hit by Data Breach; 100,000 Employee Records Stolen

Outsourcing group Interserve is recovering from a cyberattack which took place over the weekend that may have seen the details of up to 100,000 people stolen. Hackers broke into a human resources database owned by the outsourcing firm, which recently helped build the Birmingham Nightingale Hospital, on May 9 and stole information on current and former Interserve employees, a company insider said.

APT

Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia

A joint reported issued by cybersecurity teams from ESET and Avast suggests that the Remote Access Trojan (RAT), which is undergoing "constant" development, is likely the work of an Advanced Persistent Threat (APT) group - possibly from China - that has "planted backdoors to gain long-term access to corporate networks."

Open-sourcing new COVID-19 threat intelligence

Microsoft is making the threat intelligence it's collected on coronavirus-related hacking campaigns public, the company announced Thursday. "As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers' shifting techniques," the Microsoft Threat Intelligence team said in a blog post. "This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks."

Crime

UK electricity middleman hit by cyber-attack

Elexon, a crucial middleman in the UK power grid network, reported that it fell victim to a cyberattack earlier today. In a short message posted on its website, the company said the incident only impacted its internal IT network and employee laptops. The company's email server was also impacted and had been taken down, cutting employees off from crucial communications. Systems that managed the UK's electricity transit were unaffected, according to Elexon. In a subsequent message posted later in the day, the company said it already identified the root cause of the incident, and was working to restore its internal network and employee laptops.

France passes law forcing online platforms to delete hate-speech within 24 hours

France's lower chamber of the parliament has voted in favor of a controversial law against hate speech on social networks and online platforms. As I described last year, online platforms will have to remove within 24 hours illicit content that has been flagged. Otherwise, companies will have to pay hefty fines every time they infringe the law. What do they mean by illicit content? Essentially, anything that would be considered as an offense or a crime in the offline world is now considered as illicit content when it's an online platform. Among other things, you could think about death threats, discrimination, Holocaust denial...

Scammers steal $10 million from Norway's state investment fund

Fraudsters running business email compromise scams were able to swindle Norfund, Norway's state investment fund, out of $10 million. The attackers took their time before pulling the trigger and took action to ensure that the theft would be discovered long after they got the money. The scammers got access to the email system, which allows them to monitor communication between Norfund employees and their partners. This also allowed them to figure out who's responsible for money transfers. According to Norfund CEO Tellef Thorleifsson, the scammers spent several months in the system, learning the ropes and carefully preparing the robbery. The scammers created a Norfund email address to impersonate an individual authorized to wire large sums of money through DNB, the bank Norfund uses for these operations.