Weekly Cybersecurity Roundup #1
From today, i'll start to split the original "Weekly Roundup" in several small posts spread over the entire week.
So, let's start with the "Weekly Cybersecurity Roundup"!
Two zero days are Targeting DrayTek Broadband CPE Devices
From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.
On December 25, 2019, due to the highly malicious nature of the attack, we disclosed on Twitter the ongoing 0-day attack IoC without mentioning the vendor name or product lines. We also provided more details to some national CERTs.
On February 10, 2020, the manufacturer DrayTek issued a security bulletin, which fixed the vulnerability and released the latest firmware program 1.5.1. (here we actually have an easter egg we might talk about later)
Source code of Dharma ransomware pops up for sale on hacking forums
The source code of a major ransomware strain named Dharma has been put up for sale on two Russian hacker forums over the weekend.
The FBI, in a talk at the RSA security conference this year, ranked Dharma the second most lucrative ransomware operation in recent years, having extorted more than $24 million in payments from victims between November 2016 and November 2019.
Now, its source code is being sold for a price as low as $2,000 -- which has security researchers on edge.
Several ransomware experts who spoke with ZDNet today said the sale of the Dharma ransomware code would most likely result in its eventual leak on the public internet, and to a wider audience. This, in turn, would result in the broader proliferation among multiple cybercrime groups, and an eventual surge in attacks.
VPN bypass vulnerability in Apple iOS
Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel.
We discovered that in the current version of iOS (13.3.1), the operating system does not close existing connections. Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
Threat Spotlight: Coronavirus-Related Phishing
As much of the world grapples with the new coronavirus, COVID-19, and how to handle it, attackers are taking advantage of the widespread discussion of COVID-19 in emails and across the web.
Barracuda researchers have seen a steady increase in the number of coronavirus COVID-19-related spear-phishing attacks since January, but they have observed a recent spike in this type of attack, up 667-percent since the end of February.
Between March 1 and March 23, Barracuda Sentinel has detected 467,825 spear-phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2 percent of attacks. In comparison, a total of 1,188 coronavirus-related spear-phishing attacks were detected in February, and just 137 were detected in January. Although the overall number of these attacks is still low compared to other threats, the threat is growing quickly.
Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links
A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will download a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).
Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks
Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. Although campaigns employing themes relevant to these matters are only beginning to be adopted by threat actors, we expect future campaigns—primarily those perpetrated by financially motivated threat actors—to incorporate these themes in proportion to the media’s coverage of these topics.
Threat actors with varying motivations are actively exploiting the current pandemic and public fear of the coronavirus and COVID-19. This is consistent with our expectations; malicious actors are typically quick to adapt their social engineering lures to exploit major flashpoints along with other recurrent events (e.g. holidays, Olympics). Security researchers at FireEye and in the broader community have already begun to identify and report on COVID-19 themed campaigns with grant, payment, or economic recovered themed emails and attachments.
Cybercriminals trojanized original SM Covid-19 awareness Android app to target Italy
In these days of particular sacrifices due to the spread of the COVID-19 pandemic, cyber criminals do not seem to save anyone and on the contrary, taking advantage of the emotional involvement that many people have towards this topic, they have continued and in many cases increased their hostile activities not only against normal users but also towards the health and pharmaceutical research sector.
In the late evening of yesterday, within the COVID-19 CTI League, a group of about 400 experts gathered together to combat cyber threats related to the exploit of Covid-19 themed campaigns, a potentially malicious application emerged aimed at Italian users. A few moments later the same malicious application was also reported by Twitter users malwarehunterteam and ESET Research.
Indeed, to deal with the coronavirus emergency, several organizations and enterprises in the biotech sector have released different tools to help track and estimate the number of the COVID-19 positive people. One of these tools is “SMCovid19”. It’s an Android app developed by SoftMining, a company from South Italy specialized in pharmaceutical research. The app allows the user to report his symptoms and to consult useful information and statistics about the CoronaVirus spread. The app was directly downloadable as APK package from SoftMining official website.
Analysis Of Exploitation: CVE-2020-10189
The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189.
Tupperware-dot-com has a live credit card skimmer on its payment page, warns Malwarebytes
Tupperware, maker of the plastic food containers beloved of the Western middle classes, has an active and ongoing malware infection on its website that steals credit card data and passes it to criminals.
Infosec firm Malwarebytes, which made the discovery, has gone public with its findings today after alleging Tupperware ignored attempts to alert it and to get the malware removed from its payment processing pages.
"On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered," said Malwarebyes in a statement.
Hospitals in Spain targeted by Netwalker ransomware
Hospitals in Spain have been targeted with coronavirus-themed phishing lures by attackers looking to lock-down their systems with Netwalker ransomware. Local reports indicate that medical centres have been receiving emails purporting to offer “information on COVID-19”, but with PDF attachments that activate the ransomware, commonly associated with computer crime groups in Eastern Europe.
FBI Shuts Down Hacker Platform, Arrests Administrator
In addition to shutting down the platform, the FBI arrested its suspected administrator, alleged Russian hacker Kirill Victorovich Firsov.
Known as DEER.IO, the cyber platform allowed criminals to sell products or services through online storefronts in exchange for a fee.
Active since at least October 2013, the platform claimed to have over 24,000 active shops and sales above $17 million.
Firsov, of Russian origin, was arrested on March 7 in New York City. He allegedly managed the DEER.IO platform and also advertised it on various cyber forums catered to hackers.
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.