Cybersecurity Digest #3: 27/04/2020 – 8/05/2020

Cybersecurity News

• Google intends to enforce a new set of rules, which will result in a large number of extensions being delisted. These rules are meant to crack down on a series of practices extension developers have been recently employing to flood the Web Store with shady extensions or boost install counts for low-quality content.
• The threat actors behind the Shade ransomware have called it quits, releasing 750,000 encryption keys on GitHub and publicly apologizing to victims affected by the malware. User “shade-team” posted four files on the code repository, one containing the file keys and four “ReadMe” files with decryption instructions and other information.
• Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple’s iOS and macOS operating systems. 14 vulnerabilities were identified, 5 of which affected Apple’s ImageIO framework, and 9 impacting the OpenEXR library, a high dynamic range (HDR) image file format created for computer imaging applications.
• Two severe security flaws were discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. Two days after that hacking campaign began exploiting these flaws to breach servers of LineageOS, Ghost, and DigiCert.
• Microsoft says its advanced machine learning threat detection models have helped its staff detect multiple malicious spam (malspam) campaigns distributing disk image files infected with malware. The campaign is using COVID-19 lures (email subject lines) to trick users into downloading and running IMG file attachments.
• Microsoft challenges security researchers to hack Azure Sphere. Participants can earn up to $100,000 for finding severe flaws in Microsoft’s Linux-based Azure Sphere IoT operating system. Last year a group of researchers was invited to test attacks against Internet-as-a-service (IaaS) scenarios using a set of dedicated cloud hosts isolated from Azure customers.
• The US National Security Agency (NSA) and its Australian counterpart the Australian Signals Directorate (ASD) have published a set of guidelines to help companies avoid a common kind of attack: web shell exploits. The guidelines list several CVEs that are common attack vectors for the installation of web shells, targeting products from Microsoft (SharePoint and Exchange), Atlassian, Progress, Zoho, and Adobe (ColdFusion).
• CyberArk found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.
• China’s new regulation on a cybersecurity review system, which aims to promote an orderly, secure and open cyberspace and safeguard national security, will take effect on June 1.
• The US National Security Agency (NSA) has published a short guide to choosing a service for TV and web conferences. The document provides a brief overview of best practices and criteria that determine the risks and functions that state employees should consider when choosing conference services.

Cybersecurity Blog Posts

• Xavier Mertens searched for a nice way to extract indicators of compromise in an automated way. He built his own Docker image which is based on the following components: procmail, getmail, some Python libraries and the project es_mail_intel.
• Oliver Friedrichs gave 3 basic tips for building a strong unified cloud security strategy: understand your cloud security responsibility, ensure visibility into your cloud infrastructure, create and enforce strong access/security controls.
• Gil Rapaport told us about a sharp increase in exposed RDP servers and a few steps organizations can take to improve RDP security and reduce the risk of a data breach, such as: Limit privileged access, enable NLA, avoid exposure, use strong passwords and multifactor authentication.
• Anton Chuvakin wrote about his attemps to “reconnect” data security controls to threats. The main idea of his post is “don’t deploy security controls — whether data security or others — unless you know what problem you are solving.”
• Tomislav Peričin from Reversing Labs believes that explainable threat intelligence is a comprehensive system for object analysis that provides actionable intelligence and human interpretable data. He explains how such systems should be designed and operate.

Research & Analytics

• David Elmaleh and Imperva Research Labs’ data scientist Johnathan Azaria covered data highlighted in 2019 Global DDoS Threat Landscape Report, and also offered up a never-before-seen look at attacks on a per-industry basis and commentary on how to think about DDoS during the COVID-19 pandemic. Plus, they provided additional insights on why the attacks of late require a specific mitigation strategy.
• Kaspersky published report about DDoS-attacks in 1Q 2020. Contrary to forecast in the last report, in Q1 2020 was observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: analysts observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but analysts did not expect this kind of surge.
• Kaspersky conducted an inquiry, discovering a long-term campaign “PhantomLance”, in which malicious apps in the Google Play Store secretly spy on and steal data from users of Android devices.  Its earliest registered domain dating back to December 2015. Besides the attribution details, this document describes the actors’ spreading strategy, their techniques for bypassing app market filters, malware version diversity and the latest sample deployed in 2020, which uses Firebase to decrypt the malicious payload.
• Kaspersky published report «APT trends report Q1 2020». COVID-19 is clearly top of everyone’s minds at the moment and APT threat actors have also been seeking to exploit this topic in spear-phishing campaigns.  According to the report, geo-politics continues to be an important driver of APT activity and Financial gain remains a motive for some threat actors, as evidenced by the activities of Lazarus and Roaming Mantis.

Major Cyber Incidents

• Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free. Cybersecurity intelligence firm Cyble was able to purchase approximately 530,000 Zoom credentials for less than a penny each at $0.0020 per account.
• GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH. The security incident that took place on October 19, 2019, was discovered on April 23, 2020, after the company’s security team discovered an altered SSH file in GoDaddy’s hosting environment and suspicious activity on a subset of GoDaddy’s servers. Roughly 28,000 customers’ hosting accounts were affected in the incident.
• Ransomware has struck the computer systems of Taiwan’s state-owned energy company, CPC Corp. Although the attack did not affect the company’s energy production, it did disrupt some customers’ efforts to use CPC Corp.’s payment cards to purchase gas.
• The Israel National Cyber Directorate (INCD) issued a security alert on attempts to attack SCADA systems of wastewater treatment facilities, water pumping stations and sewerage networks. The measures recommended for water and power supply organizations to prevent intrusions included urgently changing passwords for all internet-connected systems.
• Hackers have launched a massive attack against more than 900,000 WordPress sites seeking to redirect visitors to malvertising sites or plant a backdoor if an administrator is logged in. Based on the payload, the attacks seem to be the work of a single threat actor, who used at least 24,000 IP addresses over the past month to send malicious requests.
• Personal details of more than 700,000 migrants and hopeful immigrants to Australia may have been exposed in a data breach concerning the Department of Home Affairs’ SkillSelect platform.
• A data breach at Unacademy, India’s largest online education platform, has exposed the personal details of around 11 million users, the company has admitted.