During this period, COVID-19 themed phishing and malware campaigns continue with high value ransomware extortion attacks in the news. There’s also a continuing exploitation of NAS devices along with a Global DDOS campaign targeting ISPs and financial services.
A wide range of COVID-19 related financial scams are in progress.
— We Live Security reports the operators of the Latin American banking trojan Grandoreiro have launched a campaign targeting Spanish users with emails posing as Spain’s tax agency to lure victims to install its payload.
— The Guardian reports New Zealand’s stock exchange (NZX) was interrupted and forced to halt trade for a few hours for four consecutive days as it came under a volumetric offshore DDoS attack.
— F-Secure reports the North Korean APT group Lazarus is orchestrating a cyber attack campaign against organizations working in the cryptocurrency vertical located in Germany, Japan, the U.K. and the U.S.
— ZDNet reports a criminal gang has launched DDoS attacks against some of the world’s biggest financial service providers like PayPal, Venmo and Yes Bank India, demanding Bitcoin payments as extortion.
Organised crime groups have been building out attack infrastructure to affect corporate infrastructure.
— ZDNet reports more than a dozen European ISPs have reported DDoS attacks targeting their DNS infrastructure, with the attacks reaching 300Gbit/s in volume and being part of an extortion attempt.
— RiskIQ reports they observed 121,708 new domain names containing COVID-19 keywords in them on September 02, 2020.
Mobile devices are not immune from COVID-19 themed attacks.
— Xunison reports a new banking trojan for Android, named ThiefBot, has been used in a campaign targeting Turkish users, asking those who have installed the app for accessibility permission and using overlay attacks to trick users into providing banking credentials.
— ZDNet reports six apps with the Joker malware, which monetizes by sending premium rate SMS messages, have been detected and removed from the Google Store after being downloaded 200,000 times
Broader threat landscape
— Anti-Phishing Working Group (APWG) in a phishing trends report indicates that the average wire transfer attempts for BEC attacks in Q2 2020 increased to $80,183, up from $54,000 in Q1 2020.
Phishing & Malware
Extensive COVID-19 themed phishing campaigns are underway:
— Bleeping Computer reports Argentina’s official immigration agency, Dirección Nacional de Migraciones, suffered a Netwalker ransomware attack that temporarily halted border crossing into and out of the country, with attackers asking for $4M in ransom.
— The Hacker News reports Iranian APT group Charming Kitten has been targeting journalists and academics using fake LinkedIn and WhatsApp accounts by impersonating journalists from DeutscheWelle and Jewish Journal, using compromised news groups’ websites to deliver malware.
— Abnormal Security reports a phishing campaign in which attackers impersonate a Canada Post notification about a failed delivery and asking the recipient to organize a second delivery by clicking on a link, which redirects to a phishing page to steal personal and billing details.
— Abnormal Security reports a phishing campaign in which a compromised vendor is attempting to establish a partnership with an organization by sending a legit SharePoint file under the guise of documents that need reviewing. The linked file redirects to credential phishing login pages.
— InfoSecurity Magazine reports Newcastle University appears to have been hit with a ransomware attack, saying it will take weeks to recover from the incident. The DoppelPaymer group claims it was behind the attack and has begun to post stolen documents on its site.
— According to Sophos’ The State of Ransomware 2020, almost three quarters of ransomware attacks result in the data being encrypted. 51% of organisations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73% of these attacks.
— Microsoft has fixed vulnerabilities in Azure Sphere that could be exploited to execute arbitrary code and elevate privileges.
— Threat Post reports Cisco has released updates to fix nine bugs, with eight rated high severity. Six of the vulnerabilities reside in Cisco’s NX-OS software and MDS-series Fibre Channel storage area network switches.
— Bleeping Computer reports more than half a million sites are exposed to an ongoing attack, aiming to exploit a vulnerability in File Manager, a WordPress plugin. The vulnerability allows unauthenticated attackers to upload and execute arbitrary code on WordPress sites.
— Bleeping Computer reports attackers are currently exploiting a three-year-old vulnerability in QNAP network attached storage (NAS) devices allowing command injection, potentially leading to RCE.
— The Hacker News reports Cisco has issued a warning concerning a high severity zero day vulnerability (CVE-2020-3566) in its router software that is actively being exploited in the wild and could allow remote attackers to cause memory exhaustion resulting in process instability.
— Hack Read reports researchers have found vulnerabilities in the EMV (integrated chip) credit card standard, allowing payments without the use of a PIN code and postponing notification of declined transactions.
— Security Affairs reports WhatsApp has addressed six previously unpublished vulnerabilities in its iPhone and Android apps, some reported through a Facebook bug-bounty program.
— Security Affairs reports attackers have gained access to computer networks of the Norwegian parliament, compromising email accounts of lawmakers and employees. Officials report there is still no knowledge of who is behind the attack.
— The U.S. CISA has released a joint advisory on North-Korean threat actors BeagleBoyz running a money and crypto stealing campaign detailing a global cyber-enabled bank robbery scheme which includes an ATM cash-out scheme.
— The U.S. CISA has released a mandate to all U.S. federal agencies to implement vulnerability disclosure policies by March 2021 which include the systems in scope, types of testing allowed and how ethical hackers can submit vulnerability reports.
— PIB reports the Indian government has banned 118 apps mostly linked to China claiming they are stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India. The apps include Baidu, PUBG, AliPay and WeChat Work.
— The U.S. CISA has released a joint advisory with the cyber security authorities of five nations to highlight technical approaches to uncovering malicious activity including mitigation steps according to best practices. The goal is to enhance incident response among partners and network admins.
— The Australian Cyber Security Centre (ACSC) released its annual cyber threat report which states it received 59,806 cyber crime reports in the past year with ACSC detecting, at its peak, 4,500 malicious emails per day regarding the Emotet malware.
— In a flash alert, FBI has warned U.S. companies that thousands of organizations around the world from various sectors including retail, finance and travel have been threatened with a ransom DDoS campaign that started on August 12, 2020. The group is asking for a Bitcoin ransom and threatens to increase the attack to 2 Tbps if companies fail to pay.
— Bleeping Computer reports Freepik, one of the largest online graphic resources sites in the world, says that hackers were able to steal emails and password hashes of 8.3M of its users in an SQL injection attack against their Flaticon website.
— ZDNet reports the Warner Music Group has suffered a data breach in a Magecart type attack that compromised several of Warner’s U.S. online stores and installed data skimmers to collect customers’ personal and financial data.
— Cyble Inc. researchers report they have found a data leak disclosure from the REvil ransomware operators claiming to have stolen sensitive data from U.S. based Valley Health Systems, including information related to clients, employees and patients.
Law and order
— Threat Post reports a Russian national who tried to use a Tesla employee to introduce malware in the Nevada Tesla Gigafactory was arrested by the FBI.