Cybersecurity Digest #2: 13/04/2020 – 24/04/2020

Cybersecurity News  

• Intel addressed nine security vulnerabilities with the April 2020 Platform Update, all of them being high and medium severity security flaws impacting multiple software products, firmware, and platforms.
• Сybersecurity experts at ReversingLabs revealed over 700 malicious gems — packages written in Ruby programming language — that supply chain attackers were caught recently distributing through the RubyGems repository. The malicious campaign leveraged the typosquatting technique where attackers uploaded intentionally misspelled legitimate packages in hopes that unwitting developers will mistype the name and unintentionally install the malicious library instead.
• A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 ‘wormable’ pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security. The security vulnerability, also known as SMBGhost, was found in the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol and it only impacts systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.
• The OpenSSL Project released a security update for OpenSSL that patches a high-severity vulnerability, tracked as CVE-2020-1967, that can be exploited by attackers to launch denial-of-service (DoS) attacks. This is the first issue addressed in OpenSSL in 2020. The CVE-2020-1967 vulnerability has been described as a “segmentation fault” in the SSL_check_chain function.
• Dell released a new security tool to protect PCs against cyberattacks targeting the BIOS. The SafeBIOS Events and IoA tool is designed to identify changes and events that may indicate an attack is in progress and give an administrator the information they need to defend against it.
• The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning that bad actors are still exploiting a known vulnerability in a popular VPN appliance a full year after the vendor patched the flaws. Most Pulse Secure VPN users have installed the patch released in April of 2019 by the vendor. However, thousands of servers are still vulnerable, and many organizations that deployed the patch failed to change their credentials.
• Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard has learned. The two flaws are so-called zero-days and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks.
• A cybersecurity researcher publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting IBM Data Risk Manager (IDRM) after the company refused to acknowledge the responsibly submitted disclosure.
• Microsoft released the latest batch of software security updates for all supported versions of its Windows operating systems and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity.
• Security researchers at PerimeterX discovered that some cybercriminals have started using a technique capable of bypassing the protection offered by iframes, which are used to embed HTML documents within another. The tactic allows Magecart attackers to skim credit card data while allowing successful payment transactions to proceed – a factor that makes hacks stealthier and more difficult to detect.

Cybersecurity Blog Posts

• Many security and IT teams suddenly have to support and protect employees who must work remotely due to the COVID-19 crisis. Susan Bradley explains 8 key security considerations for protecting remote workers.
• Today, the most successful and damaging cyberattacks are executed by highly professional criminal networks which are leveraging artificial intelligence (AI) and machine learning (ML) tools, making it extremely hard for IT security organizations to keep up — much less stay ahead of these threats. Brian Forster talks about “zero trust” concept and its key pillars.
• The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Brian Krebs speculates whether this unprecedented level of collaboration can survive the pandemic.
• Microservices are quickly changing the face of cloud computing, giving cloud architects the tools needed to move away from provisioning resources statically, such as with servers and virtual machines (VMs). New types of workloads, like serverless and containers, realize greater operational efficiencies, and compute as a service (CaaS) is now more affordable and scalable than ever before. Authors of Checkpoint blog discuss how providing workload security at various layers can ensure that microservice architectures remain as secure as possible—even before the first Kubernetes execution.
• Today, cybercrime is a massive business, and criminals everywhere are clamoring to get a piece of the action as companies and consumers invest trillions to stake their claim in the digital universe. Cybercrime may be the world’s third-largest economy by 2021. Marc Wilczec talks about its main features, laws and trends, and what risks it brings to business.

Research & Analytics

• The report “Financial cyberthreats in 2019” by Kaspersky provides an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware. According the report, 35,1% of users attacked with banking malware were corporate users. Users in Russia, Germany, and China were attacked most frequently by banking malware.
• Lookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors, which recently started using the novel coronavirus as its newest lure to entice its targets to download malware. This campaign appears to have been active since the start of January 2018, and targets Arabic-speaking users, likely in Syria and the surrounding region.
• With the coronavirus (Covid-19) pandemic the U.S. federal government is rolling out a $2 trillion package of Economic Impact Payments to help give the economy a shot in the arm and prevent a crash. Hackers and threat actors want to cash in on the rush to get these vital payments by evolving the scam and phishing techniques. Researchers have found that since January, a variety of domains related to coronavirus-related stimulus or relief packages have been registered globally. A total of 4,305 domains relating to new stimulus/relief packages have been registered.
• Released by Kenna Security, the report Prioritization to Prediction – Volume 5: In Search of Assets at Risk, offers some insight and advice on how to better manage security vulnerabilities and their patches. The report found that Windows computers are the most common asset as around half of firms analyzed for the report have an asset mix of at least 85% Windows-based systems. Some 70% of Windows systems had at least one open vulnerability with known exploits during the period of analysis. A Windows-based asset had an average of 119 vulnerabilities per month.
• Phishing kit prices skyrocketed in 2019 by 149%. The average price for a phishing kit in 2019 was $304, up from $122 recorded in 2018. Of the 16,200 phishing kits Group-IB identified and tracked in 2019, the company said the most targeted login pages were for Amazon, Google, Instagram, Office 365, and PayPal.

Major Cyber Incidents

• Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). During the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and they are now threatening the company to leak all the stolen data unless the ransom is paid.
• Prague Airport and a regional Czech hospital had thwarted cyber attacks on their IT networks, reinforcing warnings by the national cyber security watchdog of likely attempts to harm the country’s infrastructure.
• A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Most of the affected users were from the United States. The database was exposed for nearly two weeks before access was removed.
• Cognizant, one of the largest tech and consulting companies in the Fortune 500, has confirmed it was hit by a ransomware attack Maze. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online. However, a website known to be associated with the Maze attackers, has not yet advertised or published data associated with Cognizant.
• Mediterranean Shipping Co., the world’s second-largest container line, said a cyberattack at its Geneva headquarters had brought down its website for about five days and prevented customers from making bookings on its main online platform.
• Aptoide is one of the biggest third-party app stores, with a claimed global userbase of 150 million and a million apps that would appear to have been breached by a hacker who claims to have stolen 39 million customer records and has published details of 20 million of them, including login emails and hashed passwords, on a popular hacker forum.
• The Microsoft-owned source code collaboration and version control service reported the campaign, which it calls Sawfish, on Tuesday 14 April. Users were reporting emails that tried to lure them into entering their GitHub credentials on fake sites for a week before, it said.
• The cryptocurrency industry has suffered a major loss over the weekend, after bad actors managed to steal more than $25 million worth of digital currency from Uniswap and Lendf.me. Believed to be the handiwork of a single group or individual, the two ‘reentrancy attacks’ were possible by a known vulnerability found in the ERC777-token of Uniswap Exchange, an exploit made public in July 2019.