Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   July 3rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Communications system used by criminals to trade drugs and guns “successfully penetrated”

The NCA worked with forces across Europe on the UK's "biggest and most significant" law enforcement operation. Major crime figures were among over 800 Europe-wide arrests after messages on EncroChat were intercepted and decoded. More than two tonnes of drugs, several dozen guns and £54m in suspect cash have been seized, says the NCA. While the NCA was part of the investigation, it was initiated and led by French and Dutch police, and also involved Europol. Learn more >

DarkCrewBot – The Return of the Bot Shop Crew

Researchers recently discovered an ongoing, evolving campaign from a known hackers’ group, “DarkCrewFriends.” This campaign targets PHP servers, focusing on creating a botnet infrastructure that can leverage for several purposes such as monetization and shutting down critical services. DarkCrewFriends has been quite active over the last few years. Learn more >

Connection discovered between Chinese hacker group APT15 and defense contractor

A report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree. The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China's border regions but also living abroad in at least 14 other countries. Learn more >

Emergency Firefox update for search issues

After releasing Firefox 78 yesterday, Mozilla quickly halted its rollout via automatic updates due to problems discovered with the built-in search functionality. Today, Mozilla has released a new version 78.0.1 to fix these issues and has resumed auto-updates. In a Mozilla bug, it was reported that numerous search issues occurred after installing Firefox 78. Learn more >

Netgear releases fixes for ten vulnerabilities affecting nearly 80 of its products

Four of flaws have been rated high severity, they can be exploited by an unauthenticated attacker with network access to the vulnerable Netgear device to execute arbitrary code with admin or root privileges, and to bypass authentication. The US Cybersecurity and Infrastructure Security Agency (CISA) published a security alert warning of the Netgear Router flaws. The CERT/CC also published a security advisory related to one of the above vulnerabilities that can be exploited by an unauthenticated attacker to gain remote code execution with root privileges. Learn more >

Out-of-band security updates to patch two vulnerabilities in Microsoft Windows

The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. After successfully exploiting CVE-2020-1425, attackers "could obtain information to further compromise the user’s system," while successful exploitation of CVE-2020-1457 could lead to arbitrary code execution on vulnerable systems. Learn more >

PROMETHIUM extends global reach with StrongPity3 APT

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, a research team has identified around 30 new C2 domains. They assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year. Learn more >

Almost 300 Windows 10 executables vulnerable to DLL hijacking

A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10. In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking. It turns out nearly 300 executables in your System32 folder are vulnerable to relative path DLL Hijacking. Did you know that with a simple VBScript some of these EXEs can be used to elevate such executions, bypassing UAC entirely?   Learn more >  

GuLoader: Peering Into a Shellcode-based Downloader

GuLoader, a malware family that emerged in the wild late last year, is written in Visual Basic 6 (VB6), which is just a wrapper for a core payload that is implemented as a shellcode. It is distributed via spam email campaigns with archived attachments that contain the malware. The majority of malware downloaded by GuLoader is commodity malware, with AgentTesla, FormBook, and NanoCore being the most predominant. This downloader typically stores its encrypted payloads on Google Drive.   Learn more >  

Hackers hide credit card stealing scripts in favicon EXIF data

Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection. In a new report by Malwarebytes, an online store using the WordPress WooCommerce plugin was found to be infected with a Magecart script to steal customer's credit cards. What made this attack stand out was that the scripts used to capture data from payment forms were not added directly to the site but were contained in the EXIF data for a remote site's favicon image.   Learn more >  

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection. Researchers found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another variation to exfiltrate stolen credit card data.   Learn more >  

Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

New variant of powerful cryptojacking and DDoS-based malware is exploiting severe vulnerabilities in order to infect Windows machines. Dubbed Lucifer, the malware is part of an active campaign against Windows hosts and uses a variety of weaponized exploits in the latest wave of attacks, Palo Alto Networks' Unit 42 said on Wednesday.   Learn more >  

CryptoCore A Threat Actor Targeting Cryptocurrency Exchanges

A hacking group known as CryptoCore has pulled off cryptocurrency heists worth $70 million, but research indicates that it may be an estimated value of over $200 million since 2018. This group targets cryptocurrency exchanges by conducting spear-phishing campaigns against employees and executives. The main goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees.   Learn more >  

New ransomware posing as COVID‑19 tracing app targets Canada

New ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an official COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims. CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert.   Learn more >  

Inside a TrickBot Cobalt Strike Attack Server

TrickBot is the successor of Dyre that, at first, was primarily focused on banking fraud, even reusing the same web-injection systems utilized by Dyre. TrickBot has since shifted focus to enterprise environments over the years, incorporating network profiling, mass data collection, and lateral traversal exploits. This focus shift is prevalent in their tertiary deliveries that target enterprise environments. Learn more >

Dark Basin Uncovering a Massive Hack-For-Hire Operation

Researchers give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, we link Dark Basin to BellTroX InfoTech Services, an India-based technology company. Over the course of researchers' multi-year investigation, they found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy.   Learn more >  

Malwarebytes causing performance issues in Windows 10 2004

Since the release of Windows 10 2004, users have been reporting performance issues and crashes when Malwarebytes 4.1 is installed. In numerous reports to the Malwarebytes support forums since Windows 10 version 2004, the May 2020 Update, was released, users are reporting many problems with MBAM 4.1 installed. These issues range from random freezes, general slowness, video stuttering, blue screen of death crashes (BSOD), or Windows 10 becoming unresponsive.   Learn more >  

Demo Free Trial MSSP