Cybersecurity Digest #8: 06/07/2020 – 17/07/2020

Cybersecurity News

  • Microsoft Research has announced a cloud-based malware detection service called Project Freta to detect rootkits, cryptominers, and previously undetected malware strains lurking in your Linux cloud VM images.
  • A coalition of dozens of top cybersecurity and Internet freedom groups, academics and experts sent a blistering letter to the sponsors of an anti-encryption Senate bill they say would make hundreds of millions of Americans more vulnerable to hacking. The bill, called the Lawful Access to Encrypted Data Act, is the harshest among a number of efforts to weaken encryption across the Justice Department and Congress.
  • Business giant SAP released a patch for a major vulnerability that impacts the vast majority of its customers. The bug, codenamed RECON, exposes companies to easy hacks, according to cloud security firm Onapsis. Onapsis says RECON allows malicious threat actors to create an SAP user account with maximum privileges on SAP applications exposed on the internet, granting attackers full control over the hacked companies’ SAP resources.
  • With the July 2020 Patch Tuesday security updates release, Microsoft has released one advisory for a tampering vulnerability in IIS and fixes for 123 vulnerabilities in Microsoft products. Of these vulnerabilities, 18 are classified as Critical, and 105 are classified as Important. This month patches two previously disclosed vulnerability and a critical 10.0 rated wormable DNS vulnerability.
  • Oracle released its quarterly Critical Patch Update (CPU), which includes a total of 443 new security fixes. More than half of the addressed vulnerabilities are remotely exploitable without authentication. Approximately 100 of the patches deal with vulnerabilities with a CVSS score above 9 (roughly 70 patch bugs featuring a CVSS score of 9.8 or higher).
  • Google Cloud today announced a confidential computing feature called Confidential Virtual Machines, which keeps data encrypted while it’s being processed. Confidential VMs is the first product in Google Cloud’s confidential computing lineup, and it’s now available in beta.
  • Joker, a dangerous malware, has just found another way onto the Play Store. The latest alarm has been raised by the team at Check Point, who warn that “Joker is one of the most sophisticated threats of its kind we have ever seen.”

Cybersecurity Blog Posts

  • Dmitrijs Trizna described preprocessing of Sysmon Events, in order to use them as input of Recurrent Neural Network (RNN) model, which he built using Tensorflow Keras API. Additionally, he examined performance of different RNN acrhitectures.
  • Pavitra Shankdhar wrote about the best open-source web application security testing tools, such as Grabber, Vega or Wapiti), describing benefits and drawbacks.
  • Matthew Jerzewski told about the history of ransomware focusing on the human-operated campaigns, wrote about response actions for active attacks and summarized that maintaining a proactive approach with a security mindset in mitigation for the following ransomware campaigns is key to hardening outer perimeter security.
  • The Cloud Security Alliance (CSA) releases its “Top Threats to Cloud Computing” study to raise awareness of key risks and vulnerabilities in the cloud and promote strong security practices. Justyna Kucharczak told about the latest edition, The Egregious 11, ranks the top eleven cloud threats and provides recommendations for security, compliance, risk and technology practitioners.

Research & Analytics

  • According to the data of the Kaspersky report, 14.8% of all users attacked by malware or adware in the past year suffered an infection of the system partition. Among the most common types of malware installed in the system partition of smartphones are the Lezok and Triada Trojans.
  • A hacking group known as “Keeper” is responsible for security breaches at more than 570 online e-commerce portals over the last three years. The Keeper gang broke into online store backends, altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers in checkout forms. In a report published by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating since at least April 2017, and continues to operate even today.
  • Digital Shadows reveals new research assessing how cybercriminals exploit stolen credentials, including bank accounts, social media and video streaming services. The study «From Exposure to Takeover» finds there are more than 15 billion credentials in circulation in cybercriminal marketplaces, many on the dark web. The number of stolen and exposed credentials has risen 300 percent from 2018 as the result of more than 100,000 separate breaches. Of these, more than 5 billion were assessed to be ‘unique’ – i.e. they have not been advertised more than once on criminal forums.
  • ESET researchers have discovered a new operation within a long-running cyber-espionage campaign in the Middle East. Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality. The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store.
  • The findings from the latest Honeywell Industrial USB Threat Report show that the total amount of threats posed by USB removable media to industrial process control networks remains consistently high, with 45% of locations detecting at least one inbound threat. Over the same time period, the number of threats specifically targeting OT systems nearly doubled from 16 to 28%, while the number of threats capable of causing a loss of view or other major disruption to OT systems more than doubled, from 26 to 59%.
  • Third-party programs such as Google Analytics and other plug-ins expose websites to Magecart, formjacking, cross-site scripting, and credit-card skimming, and other attacks, new research shows. A report released by Tala Security found that these kinds of attacks exploit vulnerable JavaScript integrations running on some 99% of the world’s websites. And while 30% of the websites analyzed implemented new security policies – a 10% increase over 2019 – only 1.1% of websites were found to have effective security in place, an 11% decline from 2019.
  • The Digital Shadows Photon Research team has spent 18 months auditing criminal forums and marketplaces across the dark web and found that the number of stolen usernames and passwords in circulation has increased by 300% since 2018. There are now more than 15 billion of these stolen credentials, from 100,000 data breaches, available to cybercrime actors. Of this number, some 5 billion are said to be unique, with no repeated credential pairs.
  • Research performed by IT and data management research and consulting firm Enterprise Management Associates (EMA) takes a look at how the MDR market continues growing. This white paper studies the factors driving further adoption of MDR, learn the top-level issues driving the market and determine the criteria against which MDR providers should be evaluated.

Major Cyber Incidents

  • Major US Twitter accounts hacked in Bitcoin scam. Billionaires Elon Musk, Jeff Bezos and Bill Gates are among many prominent US figures targeted by hackers on Twitter in an apparent Bitcoin scam. The official accounts of Barack Obama, Joe Biden and Kanye West also requested donations in the cryptocurrency.
  • Microsoft Corp. customers were targeted in a massive phishing campaign that has sought to defraud users in 62 countries since December. Recently, the malicious emails have evolved to capitalize on the pandemic, according to Microsoft.
  • Cryptocurrency exchange Cashaa says it has lost 336 bitcoin (worth around $3.1 million) to hackers. The London-based platform has now ceased all crypto-related transactions, including withdrawals and deposits, as investigations into the breach get underway.
  • A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company‘s “data leak detection” service. The hacker also posted the full list of 8,225 databases that Vinny Troia, the security researcher behind Night Lion Security, managed to index inside the DataViper service, a list of 482 downloadable JSON files containing samples from the data they claim to have stolen from the DataViper servers, and proof that they had access to DataViper’s backend.
  • A hacker is selling the details of 142,479,937 MGM hotel guests for a price just over $2,900. He published an ad on a dark web cybercrime marketplace. The 10.6 million user records leaked in February and a newer 20 million batch shared by the hackers this month.