Customers of one of the largest domain name registrar company – GoDaddy – are being warned about an attack that took place last October. An intruder gained access to users’ login information of their hosting account. The attack was only discovered last April 23. GoDaddy proceeded to reset the passwords for all the 28,000 users affected by the attack.
Your organization should enact a credential monitoring program to be alerted when important credentials leak onto the dark web. Services like Secure IT – User Defence continuously scans the dark web for credential leaks and also train end-users on best cybersecurity practices.
Toll Group, an Australian transportation company said its systems had been targeted by a new form of ransomware called Nefilim. The company that operates across 50 countries, detected unusual activity on some of its servers, which led to delays to customers. The hackers behind Nefilim gain access through vulnerable Remote Desktop Protocol (RDP) servers, like other types of ransomware, namely Nemty, Crysis and SamSam.
Attacks via Remote Desktop Protocol servers are widespread these days. In order to prevent them, organizations should enable 24/7 monitoring and remediation solutions. Services like Endpoint Protection and SIEM (Security Information & Event Management) help avoid or at least isolate these attacks from spreading.
Cisco WebEx Phishing
A series of phishing attacks are targeting Cisco WebEx users by using fake certificate error warnings. These phishing emails include graphics and formatting similar to communications sent by Cisco WebEx to users. Users are requested to click on a hyperlink to unlock their accounts and are then redirected to a phishing credential site.
Users should be cautious whenever clicking links suggesting they need to unlock their accounts. Services like Secure IT – Mail help scan the links within emails to detect if they are legitimate or not. If they are not legitimate, these tools will block users from even visiting the malicious website.
A vulnerability has been identified in Microsoft Teams that involved a simple GIF image. For the attack to work, the victim had only to view the malicious GIF, which illustrated Donald Duck character sweeping a row of Mickey Mouse toys. The attackers were then able to steal data from specific systems and have access into the company’s Teams accounts.
Microsoft has already corrected this vulnerability by updating misconfigured DNS records, thus mitigating the problem.
A new spyware campaign has been identified and has been ongoing for 4 years. Named PhantomLance by Kaspersky, this spyware is distributed by dozens of Android apps available on Google Play (in addition to other points of sale). The attack implements high levels of encryption, in addition to being able to download and execute additional malicious payloads that would be suited to the specific environment of the device.
Kaspersky reported his findings to Google that has since removed the malicious apps from the Play Store.
Critical Adobe Illustrator, Bridge and Magento Flaws
Critical flaws were detected in several Adobe tools, namely Illustrator, Bridge and Magento. These critical flaws include a stack-based buffer overflow flaw (CVE-2020-9555), heap overflow bugs (CVE-2020-9562, CVE-2020-9563), memory corruption glitch (CVE-2020-9568) and use-after-free vulnerabilities (CVE-2020-9566, CVE-2020-9567). Also included are critical out-of-bounds write flaws (CVE-2020-9554, CVE-2020-9556, CVE-2020-9559, CVE-2020-9560, CVE-2020-9561, CVE-2020-9564, CVE-2020-9565, CVE-2020-9569). All of these could be exploited remotely by an attacker, allowing arbitrary code execution.
The RagnarLocker ransomware targeted Portuguese multinational energy
giant EDP. More than 10TB of sensitive files have been stolen. Attackers are
now asking for $10.9M to prevent stolen information from being leaked and are
threatening to notify customers, partners and competitors. In addition to the
files that have since been released, the attackers have also included an
edpradmin2.kdb file – a KeePass password manager database.
A vulnerability was identified when Microsoft Office loads arbitrary
type libraries. This vulnerability allows the installation of programs, in
addition to viewing, modifying and deleting data, as well as the creation of
new accounts with full permission by malicious agents. For attackers to be able
to exploit this vulnerability, the user must open an Office document, created
especially for this purpose.
Microsoft Office products now address the vulnerability by correcting how
Office handles type libraries.
The Coronavirus crisis is being widely exploited by hackers to deceive
users. The crew responsible for Trickbot are no exception. They sent hundreds
of emails related to alerts and tests about COVID-19, containing malicious
documents that install Trickbot Malware. Computers are infected with
keyloggers, trojans and ransomware.
Avoiding malware like CoViper should begin with user training and awareness; employees must know how to identify suspicious emails and attachments, as this is a likely mechanism for delivering malware of this kind. Organizations may sign up for automated programs such as Secure IT – User Defence to train their employees.
The emulator that loads the low-level antivirus engine was found to run unsandboxed, thus potentially exposing systems to attackers.
Avast has since patched the vulnerability, and it is suggested all users update to the latest version to ensure their devices are secure.
Netwalker is ransomware formerly called Mailto that has become active recently. The new phishing campaign is using an attachment that contains an embedded Netwalker Ransomware executable. Once executed, the ransomware will encrypt the files on the computer and append a random extension to encrypted file names.
CVE-2020-6819 and CVE-2020-6820 allowed unauthenticated attackers to
trick potential victims into visiting a maliciously crafted website to be able
to execute arbitrary code on devices running unpatched versions of Firefox.
All users who use Firefox should install the latest version of Firefox
74.01, which has been patched. Mozilla released Firefox 74.0.1 and Firefox ESR
68.6.1 earlier to address these two critical vulnerabilities that were actively
used by threat actors against vulnerable machines.
The Search Meter plugin for WordPress through the latest version 2.13.2
allows user input within the search bar to become a formula. The attacker can
achieve remote code execution via this method.
This plugin hasn’t been updated for the last three major releases of
WordPress, and it is advised you deactivate the plugin right away and look for
Fake Zoom installers
Threat actors have distributed several different versions of Zoom client installers, which look legitimate, however, now officially from Zoom. These clients are bundled with malware such as Coinminers, Remote Access Trojans, and Adware Bundles.
You should always install software from the vendor directly to prevent
accidentally using fake installers. If a fake installer is downloaded, ensure
your computer is protected with endpoint protection, for example, Secure IT – Endpoint.
A new malware family has been discovered operating in 56 Google Play applications, which have collectively been downloaded nearly one million times around the world. Dubbed “Tekya,” the malware aims to commit mobile ad fraud by imitating user actions to click advertisements.
Proper security measures must be in place to defend against Tekya malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Adobe has released a security update for the Adobe Creative Cloud Desktop Application for Windows. This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary file deletion.
Proper security measures must be in place to defend against Milum RAT and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.