Weekly Cybersecurity Roundup #8
"I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image." - Stephen Hawking
Mandrake Android malware stealing Facebook, crypto data since 2016
Every day we see unique instances of malware come up, different from any that we have seen before. In a world so driven with innovation, not being surprised can become difficult. One such malware named Mandrake has been reported just yesterday by Cybersecurity firm Bitdefender in a report detailing its workings since 2016.
NXNSAttack technique can be abused for large-scale DDoS attacks
A team of academics from Israel has disclosed today details about NXNSAttack, a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions.
According to the research team, NXNSAttack impacts recursive DNS servers and the process of DNS delegation.
Recursive DNS servers are DNS systems that pass DNS queries upstream in order to be resolved and converted from a domain name into an IP address.
These conversions take place on authoritative DNS servers, the servers that contain a copy of the DNS record, and are authorized to resolve it.
However, as a safety mechanism part of the DNS protocol, authoritative DNS servers can also "delegate" this operation to alternative DNS servers of their choosing.
FBI warns US organizations of ProLock ransomware decryptor not working
The FBI issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.
Early this month, the FBI issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.
“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.
“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”
The wolf is back...
Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family. We named this malware "WolfRAT" due to strong links between this malware (and the command and control (C2) infrastructure) and Wolf Research, an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018. We identified infrastructure overlaps and string references to previous Wolf Research work. The organization appears to be shut down, but the threat actors are still very active.
We identified campaigns targeting Thai users and their devices. Some of the C2 servers are located in Thailand. The panels also contain Thai JavaScript comments and the domain names also contain references to Thai food, a tactic commonly employed to entice users to click/visit these C2 panels without much disruption.
We identified a notable lack of sophistication in this investigation such as copy/paste, unstable code, dead code and panels that are freely open.
Police Catch Suspects Planning #COVID19 Hospital Ransomware
Police in Europe have swooped on a cybercrime gang they suspect of planning ransomware attacks using COVID-19 lures against hospitals.
The four-man “Pentaguard” group was formed at the start of the year, according to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT).
It amassed tools including ransomware, remote access trojans (RATs), and SQL injection tools to launch attacks against public and private sector organizations with the aim of stealing data, defacing websites and encrypting key systems.
“They intended to launch ransomware attacks, in the near future, on some public health institutions in Romania, generally hospitals, using social engineering by sending a malicious executable application, from the Locky or BadRabbit families, hidden in an e-mail and in the form of a file that apparently would come from other government institutions, regarding the threat of COVID-19,” the DIICOT update explained.
New COMpfun malware variant gets commands from HTTP error codes
A new COMpfun remote access trojan (RAT) variant controlled using uncommon HTTP status codes was used in attacks targeting European diplomatic entities.
This malware was first spotted and analyzed by G-Data in 2014, while another trojan featuring "strong code similarities" capable of carrying out man-in-the-middle (MitM) attacks on encrypted traffic was discovered by Kaspersky in 2019, which later dubbed it Reductor.
Even though G-Data did not attribute COMpfun to any specific malware author, Kaspers associates it "with the Turla APT with a medium-to-low level of confidence" based on the victims its operators are targeting.
Could hackers turn satellites into weapons?
Satellites literally couldn’t be further from view, but they are increasingly the bedrock of modern society. Whether it’s beaming our TV signals or phone calls around the world or powering the Global Positioning System that tells us where we are and where we’re going, they are absolutely crucial to modern life.
The sci-fi blockbuster Gravity highlighted the perilous environment this vital constellation of machines operates in, with tens of thousands of bits of space junk flying around low Earth orbit at speeds of 17,000 miles per hour, threatening to destroy anything they come into contact with.
With companies such as SpaceX promising to launch around 42,000 satellites into space over the next decade in a bid to provide global internet access, the environment is likely to become an increasingly busy one, especially with the likes of Amazon also pledging to put their own devices into orbit.
The promise of these networks is considerable, and they have the potential to truly transform a vast swathe of everyday tasks, but as with so many of the connected devices that we have grown to depend an increasing amount on, the threat of cyber attacks is a growing one.
GhostDNS exploit kit source code leaked to antivirus company
Malware analysts received unrestricted access to the components of GhostDNS exploit kit after the malware package essentially fell into their lap.
GhostDNS is a router exploit kit that uses cross-site request forgery (CSRF) requests to change the DNS settings and send users to phishing pages to steal their login credentials, for various online services (banking, news, video streaming).
Vulnerability in Qmail mail transport agent allows RCE
Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution.
Researchers Disclose Five Windows Zero-day Vulnerabilities that Allow Hackers to Escalate Privileges
Security researchers from Trend Micro’s Zero Day Initiative (ZDI) disclosed five zero-day vulnerabilities that allow attackers to escalate the privileges on the Windows machine.
Out of five, four vulnerabilities are treated as critical and they received a CVSS score of 7.0.