Table of Contents

  1. Ransomware
    1. Hackers tried to use Sophos Firewall zero-day to deploy Ransomware
    2. Ransomware encrypts from virtual machines to evade antivirus
    3. Netwalker ransomware operators targets city of Weiz
    4. Snake ransomware leaks patient data from Fresenius Medical Care
  2. Vulnerabilities
    1. Docker fixes Windows client bug letting programs run as SYSTEM
    2. Stealing secrets from developers using WebSockets
    3. Chromium project finds that 70% of security defects are memory safety problems
    4. How iPhone Hackers Got Their Hands on the New iOS Months Before Its Release
    5. New Spectra attack breaks the separation between Wi-Fi and Bluetooth
    6. 15 years later: remote code execution in qmail
    7. Microsoft issues mitigation for the NXNSAttack DNS DDoS attack
  3. Malware
    1. Windows malware opens RDP ports on PCs for future remote access
    2. ZLoader banking malware is back, deployed in over 100 campaigns
    3. New PipeMon malware uses Windows print processors for persistence
  4. Phishing
    1. Phishing Campaign Leverages Google to Harvest Credentials
    2. Gitlab phished its own work-from-home staff, and 1 in 5 fell for it
    3. Office 365 phishing uses Supreme Court theme and working CAPTCHA
  5. Leaks
    1. Online education site EduCBA discloses data breach after hack
    2. Voter info for millions of Indonesians shared on hacker forum
    3. 25 million user records leak online from popular math app Mathway
    4. Nulled.ch - 43,491 breached accounts
    5. Hacker leaks 40 million user records from popular Wishbone app
    6. The mystery of 'hacked' Houseparty users may have been solved
    7. GhostDNS exploit kit source code leaked to antivirus company
  6. Scams
    1. Riding the State Unemployment Fraud ‘Wave’
  7. Crime
    1. New activity of DoubleGuns‘ gang, control hundreds of thousands of bots via public cloud service
    2. Thousands of Israeli sites defaced with code seeking permission to access users' webcams
    3. Vigilante hackers target 'scammers' with ransomware, DDoS attacks
  8. Privacy
    1. FBI cannot even look at your phone lock screen without a warrant, rules judge
    2. Google Drive takes down user’s personal copy of Judy Mikovits’ Plandemic after it was flagged
    3. Home Security Vendor Sued After Technician Spied on Customers in ‘Intimate Moments’

Ransomware

Hackers tried to use Sophos Firewall zero-day to deploy Ransomware

Hackers tried to exploit a zero-day in the Sophos XG firewall to distribute ransomware to Windows machines but were blocked by a hotfix issued by Sophos. At the end of April, hackers utilized a zero-day SQL injection vulnerability that leads to remote code execution in Sophos XG firewalls. Attackers used this vulnerability to install various ELF binaries and scripts that are being named by Sophos as the Asnarök Trojan. This Trojan was used to steal data from the firewall that could have allowed the attackers to compromise the network remotely.

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker is deploying Windows XP virtual machines to encrypt victim's files while evading detecting from security software installed on the host. Ragnar Locker is a relatively new ransomware launched at the end of December 2019 that targets corporate networks in company-wide attacks. This ransomware is most known for its attack on energy giant Energias de Portugal (EDP), where the attackers asked for a $10.9 million ransom after claiming to have stolen 10 TB of unencrypted files. Ragnar Locker also has a history of utilizing novel methods to evade detection when deploying their ransomware on a network.

Netwalker ransomware operators targets city of Weiz

Once again, the NetWalker ransomware operators trap a big fish in their net. In this instance, they targeted the City of Weiz and leaked their confidential data online. Weiz is the economic heart of the entire region. In the center of the Austrian electrical industry, with the successor companies of the former Elin Union -- Siemens AG Austria Transformers Weiz, Andritz Hydro and Elin Motoren -- as well as the international Knill Group, there are also several large companies of the automotive supply group MAGNA as well as construction companies such as LIEB-Bau-Weiz and Strobl Construction settled. The energy innovation center Weiz, which now consists of four houses, forms an additional business platform for innovative companies, for educational institutions and for start-ups, but also for important Styrian research institutions such as Joanneum Research with the Institute Materials or Human Research.

Snake ransomware leaks patient data from Fresenius Medical Care

Medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit are currently available online on a paste website. Fresenius is a large private hospital operator in Europe and its systems were compromised as part of a massive campaign from Snake ransomware that targeted organizations across all verticals. The hackers published a small batch of data but they announced that there's "more to come," announcing that the data is part of a much larger leak. BleepingComputer has seen the paste with the records, set to expire on June 15. It contains patient details from Fresenius Medical Care center in Serbia, which provides dialysis services for people with chronic kidney failure.

Vulnerabilities

Docker fixes Windows client bug letting programs run as SYSTEM

Docker fixed a security vulnerability in Docker for Windows that allowed attackers on the system to execute commands with the highest privileges. The flaw received the tracking number CVE-2020-11492 and could be exploited to impersonate Docker Desktop Service, which runs with SYSTEM permissions. Docker Desktop Service is installed with the Windows version of Docker and runs by default, standing by for the application to start and create child processes. The service communicates with child processes via Windows named pipes, which permit the server side of a connection to impersonate the client.

Stealing secrets from developers using WebSockets

In response to the recent post about websites scanning localhost ports, Steve Stagg wrote an article showing how developer secrets could be stolen using such techniques. "In all seriousness, this attack vector is pretty slim. You've got to tempt unwitting users to visit your site, and to stay on it while they're developing JS code."

Chromium project finds that 70% of security defects are memory safety problems

Around 70% of Chromium high severity security bugs are memory unsafety problems (that is, mistakes with C/C++ pointers). Half of those are use-after-free bugs.

How iPhone Hackers Got Their Hands on the New iOS Months Before Its Release

Security researchers and hackers have had access to a leaked early version of iOS 14, the iPhone's next operating system, since at least February, Motherboard reported Friday. That's almost eight months before the expected official release of iOS 14, given that Apple usually publishes the new iOS in September along with the announcement of new phones. Sometimes, screenshots and descriptions of new features leak before the official reveal. This time, however, an entire version of the operating system has leaked and is being widely circulated among hackers and security researchers. Motherboard has not been able to independently verify exactly how it leaked, but five sources in the jailbreaking community familiar with the leak told us they think that someone obtained a development iPhone 11 running a version of iOS 14 dated December 2019, which was made to be used only by Apple developers. According to those sources, someone purchased it from vendors in China for thousands of dollars, and then extracted the iOS 14 internal build and distributed it in the iPhone jailbreaking and hacking community.

New Spectra attack breaks the separation between Wi-Fi and Bluetooth

Academics from Germany and Italy say they developed a new practical attack that breaks the separation between Wi-Fi and Bluetooth technologies running on the same device, such as laptops, smartphones, and tablets. Called Spectra, this attack works against "combo chips," specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others. "Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access," the research team said in a short abstract detailing an upcoming Black Hat talk.

15 years later: remote code execution in qmail

In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. Qualys recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.

Microsoft issues mitigation for the NXNSAttack DNS DDoS attack

Microsoft has released a security advisory to mitigate the NXNSAttack vulnerability in DNS servers that could be used to amplify a single DNS request into a DDoS attack against authoritative DNS servers. In a new paper, researchers from Tel Aviv University and The Interdisciplinary Center have revealed a new vulnerability called NXNSAttack that can be used to "used to mount a devastating attack against either or both, recursive resolvers and authoritative servers." In summary, the NXNSAttack works by an attacker sending a DNS request to a recursive server for a domain under the attacker's control. As this recursive server does not have the authority to resolve the request, it sends a query to the authoritative DNS server for the attacker's domain.

Malware

Windows malware opens RDP ports on PCs for future remote access

Security researchers say they've spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts. Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts. The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers.

ZLoader banking malware is back, deployed in over 100 campaigns

A banking malware called ZLoader, last seen in early 2018, has been spotted in more than 100 email campaigns since the beginning of the year. The trojan is under active development with 25 versions seen in the wild since its comeback in December 2019, the latest one observed this month. The malicious email campaigns target users in the U.S., Canada, Germany, Poland, and Australia with lures related to the COVID-19 topics (tips to avoid scams, testing) and invoices. Researchers at Proofpoint note in a report today that the ZLoader distributed this way is different from the original variant observed between 2016 and 2018. They believe the new version is a fork of the previous one.

New PipeMon malware uses Windows print processors for persistence

Video game companies are once again victims of the Winnti hacking group, who used new malware that researchers named PipeMon and a novel method to achieve persistence. PipeMon is a modular backdoor identified earlier this year on servers belonging to several developers of massively multiplayer online (MMO) games. In a report ESET says that the pile of evidence discovered in these attacks points directly at Winnti. Despite the novelty of PipeMon, the backdoor was signed with a using a certificate belonging to a video game company that the threat actor attacked in 2018.

Phishing

Phishing Campaign Leverages Google to Harvest Credentials

Some fraudsters waging phishing campaigns are using fake websites hosted on Google's Firebase Storage service in an attempt to harvest credentials, according to an analysis by the SpiderLabs security team at Trustwave. The attackers embed Firebase Storage links in phishing emails to make them appear more credible, according to the Trustwave report. The links also help the phishing emails bypass security protections, says Karl Sigler, senior security research manager of SpiderLabs. "Credential capturing webpages hosted on the [Firebase Storage] service are more likely to make it through security protections, like secure email gateways, due to the reputation of Google and the large base of valid users," Sigler tells Information Security Media Group. So far, the phishing email campaigns using these tactics are limited to Europe and Australia, and they appear to be of the "pray and spray" variety and not targeted, Singler says.

Gitlab phished its own work-from-home staff, and 1 in 5 fell for it

Code hosting biz GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing -- and a fifth of the participants submitted their credentials to the fake login page. The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials. The GitLab Red Team -- security personnel playing the role of an attacker -- obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google's GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab's IT department.

Office 365 phishing uses Supreme Court theme and working CAPTCHA

Fraudsters are trying new things to bypass security controls in Office 365 and added a CAPTCHA page in the chain of redirects that ends on a phishing template for login credentials. To lure potential victims to the malicious page, the threat actor sent them an email purporting to be from the Supreme Court and claiming to deliver a subpoena for a hearing. This attack was not part of a massive campaign, as it was sent to a small number of individuals in targeted organizations, says Chetan Anand, co-founder of Armorblox. By sending the message to just a few users, there is a good chance that the fraudulent attempt passes unnoticed. Combined with a domain name that has not been analyzed before (zero-day link), the email is likely to bypass protections.

Leaks

Online education site EduCBA discloses data breach after hack

Online education site EduCBA has started notifying customers that they are resetting their passwords after suffering a data breach. EduCBA is an online education site based out of India that offers over 2,500 online courses and job oriented learning programs focus on finance, technology, and business to their 500,000 learners. EduCBA began emailing data breach notifications to customers stating that their systems were hacked and user data was exposed. The notification is a bit strange as it does not go into great detail about what information was stolen and simply states, "email, name, password, courses visited, etc may have been compromised."

Voter info for millions of Indonesians shared on hacker forum

A threat actor has shared the 2014 voter information for close to 2 million Indonesians on a well-known hacker forum and claims they will release a total of 200 million at a later date. In the forum post, the threat actor states that the voter records are stored in individual PDF files that they took from the KPU, the general election commission of Indonesia.

25 million user records leak online from popular math app Mathway

A hacker has breached Mathway, a popular math solving application, from where they have stolen more than 25 million emails and passwords, ZDNet has learned. "The only thing I can say is that the [Mathway] hack took place in January 2020," ShinyHunters told ZDNet in an interview on Thursday while trying to avoid revealing too many details about the intrusion. The hacker said they accessed the company's backend, dumped the database, and then removed access to avoid getting detected. Since the start of May, the hacker has been selling the Mathway data on the dark web, and later also began selling it on a public and very popular hacking forum.

Nulled.ch - 43,491 breached accounts

In May 2020, the hacking forum Nulled.ch was breached and the data published to a rival hacking forum. Over 43k records were compromised and included IP and email addresses, usernames and passwords stored as salted MD5 hashes alongside the private message history of the website's admin. The data was provided to HIBP by a source who requested it be attributed to "Split10".

Hacker leaks 40 million user records from popular Wishbone app

A hacker has put up for sale the details of 40 million users registered on Wishbone, a popular mobile app that lets users compare two items in a simple voting poll. According to the seller's claims and a sample of the data published online, the Wishbone data includes user information such as usernames, emails, phone numbers, city/state/country, but also hashed passwords.

The mystery of 'hacked' Houseparty users may have been solved

At the end of March, 2020, Epic Games posted on their Twitter account a $1 million bounty for anyone to provide information of any corporate astroturfing spreading rumors about Epic Games, particularly with regard to Epic Games' House Party users complaining about being hacked. This unusual 'commercial smear' bounty was covered by a variety of reporters, with a limited amount of facts available, other than random Twitter users complaining about being hacked. After the bounty was issued, House Party started to back track, and made a claim rejected by Twitter that there were unauthentic users spreading the rumors. Twitter provided a comment to a Buzzfeed article on the story stating, "'We haven't seen any coordinated activity related to conversations about Houseparty, but are continuing to keep an eye on it."

GhostDNS exploit kit source code leaked to antivirus company

Malware analysts received unrestricted access to the components of GhostDNS exploit kit after the malware package essentially fell into their lap. GhostDNS is a router exploit kit that uses cross-site request forgery (CSRF) requests to change the DNS settings and send users to phishing pages to steal their login credentials, for various online services (banking, news, video streaming). The complete source code for the malware kit and multiple phishing pages, all compressed in a RAR archive, was uploaded to a file-sharing platform by a careless user with obvious cybercriminal intentions. The uploader, however, did not protect the archive with a password and had Avast antivirus installed and left active the Web Shield component, which protects against malicious web content. This allowed the file to be analyzed by Avast's web protection technology and triggered router exploit kit detections, prompting a closer look at the malware.

Scams

Riding the State Unemployment Fraud ‘Wave’

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that's exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens' personal data from the very websites the unemployment scammers are using to file bogus claims. Last week, the U.S. Secret Service warned of "massive fraud" against state unemployment insurance programs, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses. Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states.

Crime

New activity of DoubleGuns‘ gang, control hundreds of thousands of bots via public cloud service

360 Netlab has written a new article detailing the activity of the DoubleGuns botnet they have discovered and researched together with the Baidu security team.

Thousands of Israeli sites defaced with code seeking permission to access users' webcams

Thousands of Israeli websites have been defaced to show an anti-Israeli message and with malicious code seeking permission to access visitors' webcams. More than 2,000 websites are believed to have been defaced. Most of the websites were hosted on uPress, a local Israeli WordPress hosting service. In a message posted on Facebook, the company said the hackers exploited a vulnerability in a WordPress plugin to plant the defacement message on Israeli sites hosted on its platform. The company said it was working with Israeli authorities to investigate the hack. uPress also took down all defaced websites and pulled the file hackers were exploiting. Efforts are currently underway to restore all affected sites.

Vigilante hackers target 'scammers' with ransomware, DDoS attacks

A hacker has been taking justice into their own hands by targeting "scam" companies with ransomware and denial of service attacks. Last week a new ransomware was discovered called MilkmanVictory that a hacking group stated they created to attack scammers. In a conversation with BleepingComputer, the hacking group known as 'CyberWare' stated that they have started targeting companies performing what they call "loan scams." "The victims are saying they give "loan", but you first have to pay and then you get nothing," the hacking group told BleepingComputer. As part of their attacks, the threat actors are sending phishing emails containing links to executables masquerading as PDF files. They are also conducting denial of service attacks to bring down the company's web sites.

Privacy

FBI cannot even look at your phone lock screen without a warrant, rules judge

The FBI broke the law when it switched on a suspect's phone to look at his lock screen without a warrant, ruled a judge. It said that gathering evidence from a lock screen constitutes a search, and doing this without a warrant violates the 4th Amendment, which prohibits unreasonable search and seizure ... The ruling was made by judge John Coughenour in a district court in Seattle. What is known is that on February 13, 2020, the FBI removed Mr. Sam's phone from inventory, powered the phone on, and took a photograph of the lock screen. (See Dkt. No. 55-2 at 2.) The photograph shows the name "STREEZY" right underneath the time and date. Judge Coughenour ruled that the police were within their rights to look at the lock screen at the time of Sam's arrest, as there are circumstances in which a search can be made at the time of an arrest without a warrant. Investigators conducting a search later, however, need a warrant, said the judge.

Google Drive takes down user’s personal copy of Judy Mikovits’ Plandemic after it was flagged

Ever since Big Tech platforms started cracking down on what they deem to be coronavirus misinformation, the media has been willfully flagging alleged violations to social media companies and getting content taken down. And now the file storage and sharing service Google Drive has started to take down users' files in response to media complaints about them containing coronavirus misinformation. In an article reporting on the takedown, The Washington Post's Silicon Valley Correspondent Elizabeth Dwoskin complains that after the coronavirus documentary Plandemic was censored on social media, some YouTube clips were telling users how to access "banned footage" from the documentary via Google Drive. She then notes that after The Washington Post contacted Google, Google Drive took down a file featuring the trailer for the Plandemic documentary.

Home Security Vendor Sued After Technician Spied on Customers in ‘Intimate Moments’

Users of ADT home security systems have filed a class action against the vendor after discovering that a technician used his own credentials to set up the hardware and then spied on them. ADT Pulse is a complete home security package including smart locks, an alarm system and surveillance cams, all controllable from a handy smartphone app. "Our highly trained, certified technicians will professionally install your ADT security system," according to the official ADT website. "Once installed, your technician will test your system to be sure it is working properly, and show you how it works for easy use from day one." What the website doesn't say is that rogue employees might set up the system in such a way that they can later access the customer's homes, or spy on them "in their most private and intimate moments," according to the lawsuit filed by Alexia Preddy and Shana Doty, both of Texas, named as lead plaintiffs in the suits. Which is exactly what happened, according to the filings.