During this period, sophisticated ransomware and double extortion attacks, through data theft and blackmail, continue to make the news, along with COVID-19 themes spear phishing. Details of a number of state-sponsored attacks have been released, along with multiple critical vulnerabilities.
A wide range of COVID-19 related financial scams are in progress.
— Bleeping Computer reports Canadian government sites used to provide access to crucial services for immigration, taxes, pension and benefits were breached in a coordinated attack to steal COVID-19 relief payments. The attackers used credential stuffing technique to get into 9,041 accounts of the GCKey online portal.
— Bleeping Computer reports a banking trojan dubbed Mekotio targeting users in Latin America has collected sensitive information such as firewall configuration, OS information and features such as planting backdoors and stealing bitcoins.
Organized crime groups have been building out attack infrastructure to affect corporate infrastructure.
— RiskIQ reports observing 120,469 new domain names containing COVID-19 keywords on August 24, 2020.
While attacks still involve phishing linked to malware delivery, a range of other exploitation techniques are targeting the use of conferencing platforms.
— ZDNet reports a conferencing platform went down on August 24, with users worldwide unable to join meetings and video webinars as U.S. schools reopened.
Mobile devices are not immune from COVID-19 themed attacks.
— Snyk reports more than 1,200 applications, exceeding 300 million downloads, have incorporated a software development kit from Chinese advertising service Mintegral containing a malicious code to spy on user activity and steal potential competitor revenue.
Broader Threat Landscape
— Wired reports voice phishing attacks are on the rise due to COVID-19 remote work policies and following the high-profile Twitter vishing scam. Coordinated attacks involving the leasing of voice actors, set-up of dedicated phishing pages to bypass MFA, target corporate new hires.
Phishing & Malware
Extensive COVID-19 themed phishing campaigns are underway:
— Trend Micro reports a spear phishing campaign is underway targeting business executives of over 1,000 companies worldwide since March 2020. Fraudsters target their financial accounts with phishing emails redirecting to fake O365 login pages to steal credentials and attempt fund transfer requests from subordinates.
— Seqrite reports a phishing campaign from the APT group Gorgon is targeting the MSME (Micro, Small and Medium Enterprises) sector within India, using COVID-19 themed malicious documents that download the Agent Tesla payload for keylogging and info-stealing.
— Computer Weekly reports cruise ship operator Carnival Corporation has reported falling victim to an unspecified ransomware attack that accessed and encrypted a portion of one of its brand's IT systems, exposing customers and staff personal data.
— Abnormal Security reports a phishing campaign is underway where attackers impersonate a government sponsored loan program from the U.S. Small Business Administration, with an email disguised as a notification of loan approval, redirecting to a credential phishing page.
— Bleeping Computer reports Japanese tech giant Konica Minolta was hit with a ‘RansomEXX’ ransomware attack late July impacting its servers for a week.
— Bleeping Computer reports online exam proctoring solution ProctorU has confirmed a data breach after threat actors released a stolen database of user records, including email addresses, full names, phone numbers and hashed passwords from various universities.
— Bleeping Computer reports the U.S. spirits and wine giant Brown-Forman was hit with a cyber attack by the REvil ransomware operators. The attackers claim they stole 1TB of data that includes company agreements, contracts and other confidential employee information.
— South African credit reporting agency, Experian, has disclosed an isolated incident involving a fraudulent data inquiry in a press release. A fraudster intended to use the data for marketing leads, but was identified and the data was secured and deleted. Experian clarified the fraudster obtained no consumer credit card or financial information.
— Bleeping Computer reports Google fixed a critical bug affecting Gmail and G Suite that would have allowed attackers to send spoofed malicious emails as any Google user or enterprise customer.
— Bleeping Computer reports Microsoft has patched two zero-day vulnerabilities and 120 other vulnerabilities in its August 2020 Patch Tuesday security update. The two zero-days were an RCE vulnerability in Internet Explorer 11 and another vulnerability that allowed attackers to spoof other companies when digitally signing an executable.
— Threat Post reports Citrix is warning users to urgently patch a pair of critical flaws (CVE-2020-8208 and CVE-2020-8209) in its XenMobile Server that could allow unauthorized remote attackers to access domain account credentials.
— Bleeping Computer reports Adobe has released security updates for Acrobat, Reader and Lightroom that fix twenty-six vulnerabilities, eleven of which are critical bugs that allow remote code execution.
— The Hacker News reports a zero-day vulnerability (CVE-2020-6519) in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73 and result in arbitrary code execution on targeted websites.
— The Hacker News reports Microsoft has issued an emergency out-of-band security update for Windows 8.1 and Windows Server 2012 R2 to patch two recently disclosed vulnerabilities (CVE-2020-1530 and CVE-2020-1537) in the Remote Access Service which could let remote attackers gain elevated privileges.
— ZDNet reports Cisco has disclosed a critical static password flaw affecting its ENCS 5400-W Series and CSP 5000-W Series appliances, allowing a remote attacker without credentials to log into a vulnerable device's command-line interface.
— The Hacker News reports a critical vulnerability in Jenkins, an open-source server software tracked as CVE-2019-17638 with a CvSS rating of 9.4, which may allow unauthenticated attackers to receive sensitive data intended for other users.
Law and Order
— Forbes reports Uber's former CSO is being charged on account of paying hackers $100,000 in Bitcoin in 2016 to hide a massive data breach that exposed 57 million customers.
— Schneier on Security reports The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide. It makes quite an interesting read, full of technical detail and yet comprehensible even to the non-technical people. It is a useful reminder of the level of sophistication and power nation governments can deploy in the cyber world.
— Bloomberg reports Taiwan has blamed four Chinese APT groups: Blacktech, Taidoor, MustangPanda and APT40 for conducting a long term espionage operation that targeted companies that provide services to government entities.
— The U.S. CISA has published a malware analysis of a North Korean RAT, BLINDINGCAN, used by the Lazarus APT group to recruit, via LinkedIn, defense employees of U.S. defense companies.
— The U.S. CISA has issued an alert on cyber actors using emails containing a Word doc with a malicious Visual Basic Application macro code to deploy KONNI malware. This malware is a remote administration tool used to steal files, capture keystrokes, take screenshots and execute arbitrary code.
— The U.S. CISA has issued an alert for a phishing campaign, spoofing the Small Business Administration COVID-19 loan relief webpage for credential theft.
— The U.S. Secret Service and U.S. Small Business Administration have released a joint alert on detecting and mitigating fraud related to the CARES Act and the Economic Injury Disaster Loan Fraud.
— The U.S. National Security Agency and FBI have released an analysis on the Russian malware named Drovorub, a previously undisclosed malware for Linux systems with advanced concealment mechanisms.
Threat Actor Activity
— On August 7, 2020, the actor zippo advertised a crypting service for executable and Android application package files, claiming the crypted files will be “almost” fully undetectable.
— On August 4, 2020, a structured query language-injection vulnerability was auctioned by MassadaShark in a Spanish online store specializing in hunting, fishing and other recreational activities. The actor claimed 15,000 payment card records were in the database encrypted in hashes.
— On August 2, 2020, the actor twentyone_support advertised a store that sold brute-forced bank accounts and full sets of compromised data (fullz). The actor listed financial institutions where accounts were available and provided prices based on balances.