Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

SANS shares the Indicators of Compromise for phishing attack that led to data breach

Some of the forwarded emails contained a total of approximately 28,000 records of personal information (PII) for SANS members. When disclosing the attack, SANS stated that they would release information that they discover about the attack to benefit the cybersecurity community. Yesterday, SANS released the indicators of compromise (IOCs) for their phishing attack so that other organizations can make sure they were not affected.

Learn more >

Technology giant Konica Minolta hit by RansomEXX ransomware attack

After some customers stated that their Konica contacts indicated a breach caused the outage, a source shared a copy of the ransom note used in the attack on Konica Minolta to researchers, named '!!KONICA_MINOLTA_README!!.txt. It was also discovered that the devices in the company were encrypted, and files had the '.K0N1M1N0' extension appended to them. This ransom note belongs to a relatively new ransomware called RansomEXX, which is human-operated and entails threat actors compromising a network, and over time, spreading to other devices until they gain administrator credentials.

Learn more >

PurpleWave – A New Infostealer from Russia

A new Infostealer malware called PurpleWave was found being advertised and sold on Russian cyber-crime forums for $68 US. An Infostealer is a type of malware that gathers information from the infected system and is able to install more malware once inside it. Purplewave is capable of stealing cookies, passwords and credit cards. It also can steal files, take screenshots and install additional malware.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 13th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Vulnerability in 4G Voice over LTE (VoLTE) protocol used to eavesdrop on voice calls

For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call. However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law. Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key. In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls.

Learn more >

Coronavirus ventilator manufacturer Boyce Technologies targeted by ransomware

The cybercriminals have threatened that more information will be disclosed next week through the site if an undisclosed crypto ransom is not paid by the firm. Boyce Technologies is well-known for its work in designing and manufacturing FDA-approved low-cost ventilators in just 30 days during the first months of the COVID-19 pandemic, amid the big demand for the machines across New York hospitals. Prior to the attack the company was making 300 units a day with the help of the robots built by the company.

Learn more >

Alexa voice assistant, exploitable to hand over user data

Users are able to extend Alexa’s capabilities by installing “skills” – additional functionality developed by third-party vendors which can be thought of as apps – such as weather programs and audio features. The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot -- with over 200 million shipments worldwide -- was found to be vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings due to its subdomains being susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks.

Learn more >

Color by numbers: inside a Dharma ransomware-as-a-service attack

The actors using this particular RaaS are equipped with a package of pre-built scripts, internal Windows tools, legitimate third-party “freeware” software, well-known security tools and publicly-available exploits, integrated together through bespoke PowerShell, batch, and AutoIT scripts. This pre-packaged toolkit, combined with back-end technical support, significantly extends the reach of the Dharma RaaS operators, allowing them to profit while their affiliates do the hands-on-keyboard work of breaching networks, dropping ransomware, and managing “customer service” with the victims.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   August 12th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Customer data breached at Michigan State online store

Hackers have breached Michigan State University’s online store, gaining access to customer credit card numbers and other personal information, the university said. The university on Monday began notifying customers who may have been affected by the hack. Michigan State’s information security team has corrected the site’s vulnerabilities that allowed the intrusion between Oct. 19, 2019 and June 26, officials said.

Learn more >

Google Chrome bug would let hackers bypass CSP protection

Tracked as CVE-2020-6519 (rated 6.5 on the CVSS scale), the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites. Some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora, were susceptible to the CSP bypass. Interestingly, it appears that the same flaw was also highlighted by Tencent Security Xuanwu Lab more than a year ago, just a month after the release of Chrome 73 in March 2019, but was never addressed until PerimeterX reported the issue earlier this March.

Learn more >

Information security training organization falls victim to phishing attack

"We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised," states the SANS data incident notification. The threat actor then proceeded to configure a rule that forwarded all email received in this account to an "unknown external email address" and installed a malicious Office 365 add-on.

Learn more >

Adobe Acrobat and Reader affected by critical flaws

The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines. The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 11th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Threat actors hijack Tor exit nodes to perform SSL stripping attacks

According to a report published on Sunday the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network. The primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services.

Learn more >

Agent Tesla | Old RAT Uses New Tricks to Stay on Top

The new variants of Agent Tesla RAT now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.

Learn more >

New zero-day RCE vBullentin bug patched

The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE). However, a researcher said he found a simple way to bypass the patch and continue to exploit the same CVE-2019-16759 vulnerability

Learn more >

Data leak site launched by Avaddon ransomware

If publicly released, this data could expose financial information, personal information of employees, and client data, which leads to a data breach. At this time, there is only one entry on their site, where they leak 3.5MB of documents stolen from a construction company.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   August 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

KrØØk vulnerability variant can impact Qualcomm and MediaTek Wi-Fi chips

Even though initially researchers said that only devices with Broadcom and Cypress Wi-Fi chips were affected, new KrØØk variants were discovered to also have impacted systems Qualcomm and MediaTek radios used in vehicles, navigation systems, watches, laptops, smartphones, routers, and other devices. These new findings greatly increase the number of vulnerable devices to KrØØk attacks and their variants if left unpatched.

Learn more >

Unpatched vulnerabilities in Windows print spooler

The flaw CVE-2020-1048 affects Windows Print Spooler, the service that manages the printing process. Bypassing it has been classified as a new vulnerability that received the tracking number CVE-2020-1337. A fix will become available on August 11.

Learn more >

Inter skimming kit used in homoglyph attacks

The idea consists of using characters that look the same in order to dupe users. Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lower case ‘l’. A threat actor with ties pointing to Magecart group is using this technique on several domain names to load the popular Inter skimming kit inside of a favicon file.

Learn more >

Intel leak of 20GB of source code

“Most of the things here have NOT been published ANYWHERE before and are classified as confidential, under NDA or Intel Restricted Secret,” the developer added. Those browsing firmware source code will find comments referring to backdoors, but that could mean anything and does not necessarily mean they can gain access to your computer.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 6th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Canon 10TB of data breached due to Maze ransomware

Multinational corporation Canon reportedly fell victim to a ransomware attack launched by Maze group against its email and storage services and its United States website on July 30. Maze has threatened to leak the pics and data if a crypto ransom is not paid. The image.canon site was out for six days, during which it showed updates. Canon denied any attack, but later the ransomware gang claimed it had managed to steal almost 10 TB of photos, files and other data.

Learn more >

Firefox evil cursor bug fixed

The bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites. Evil cursor attacks are typically weaponized by operators of tech support scam websites, who use this particular trick to keep users trapped on their sites -- as victims can't close tabs and popups due to the cursor visibility-click discrepancy.

Learn more >

Vulnerability in Temi healthcare robots lets hackers remotely hijack enterprises

Robotemi Global's Temi is a "personal robot" that uses a range of sensors, artificial intelligence (AI) and machine learning (ML) technologies, as well as modern voice activation and mobile connectivity to perform functions including personal assistance tasks, answering Internet queries, and facilitating remote video calls. In total, four vulnerabilities were found, the use of hard-coded credentials, an origin validation error, missing authentication for critical functions, and an authentication bypass.

Learn more >

Microsoft Teams Updater abused to install malware

During the last year, several variants of malware recovery and remote execution were discovered from Microsoft Teams. They all start from the possibility of updating the client from a remote URL. To fix this, Microsoft released a patch that only allows local networks to access and update the Teams package. Based on this restriction, the attackers are taking advantage of Teams as a LoLBin, by placing the malicious file on the network and accessing the load from the victim's computer.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 4th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

WordPress Newsletter plugin vulnerabilities affecting over 300k sites patched

There are at least 150,000 WordPress sites with active Newsletter installations still potentially left exposed to potential attacks if hackers start exploiting these bugs as part of future campaigns. Newsletter users are urged to update the plugin to the 6.8.3 version as soon as possible to block attacks designed to add rogue admins or to inject backdoors on their sites given that threat actors frequently use already fixed WordPress plugin vulnerabilities in their attacks.

Learn more >

Discovered Taidoor RAT malware linked to China

"The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT)." The Taidoor RAT is then used to allow Chinese hackers to access infected systems and exfiltrate data or deploy other malware -- the usual things for which remote access trojans are typically employed.

Learn more >

LG and Xerox data leaked after Maze Ransomware attack not paid

A few days ago the group released a press release in which they warned the companies to not try to recover their files from their backup, it also announced the forthcoming LG Electronics data leak. Researchers who analyzed the leaked data confirmed that it included source code for the firmware of various LG products, including phones and laptops.

Learn more >

NetWalker evolves to a ransomware-as-a-service model

During the COVID-19 pandemic, the adversaries behind NetWalker clearly stated that hospitals would not be targeted; whether they keep to their word remains to be seen. During 2020 NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and research suggests that the malware operators are targeting and attracting a broader range of technically advanced and enterprising criminal affiliates.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 23rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

MATA malware used by Lazarus hackers to steal data

During their attacks, the hackers can use MATA to load several plugins into the infected system's memory running commands, manipulating files and processes, injecting DLLs, creating HTTP proxies and tunnels on Windows devices. MATA plugins also allow the hackers to scan for new targets on macOS and Linux-based machines (routers, firewalls, or IoT devices).

Learn more >

Prometei cryptojacking botnet exploits Windows SMB

In total, the botnet has over 15 executable modules that are controlled by one main module. The botnet is organized into two main function branches: one C++ branch dedicated to cryptocurrency mining operations, and one - based on .NET - which focuses on credential theft, the abuse of SMB, and obfuscation.

Learn more >

IBM vulnerability in IVG patched

Issued a CVSS severity score of 7.5, the vulnerability CVE-2020-4400 has been caused by an account lockout mechanism deemed "inadequate" which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions.

Learn more >

Signed PDF documents can be modified by a “Shadow Attack”

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The main idea behind a Shadow Attack is the concept of "view layers" - different sets of content that are overlaid on top of each other inside a PDF document.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 22nd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Dozens of unsecured databases wiped in a “Meow” attack

The most recent publicly known example of a Meow attack is an Elasticsearch database belonging to a VPN provider that claimed not to keep any logs. The discoverer explained the database was initially secured in July only to become exposed again five days later.

Learn more >

Adobe critical vulnerabilities in Photoshop, Bridge and Prelude fixed

For users who are running as a standard Windows users, and not an administrative account, the impact of these vulnerabilities are greatly restricted unless chained with another vulnerability that elevates privileges. Adobe advises users to update the vulnerable apps to the latest versions to block attacks attempting to exploit unpatched installations.

Learn more >

Phishing campaing uses Google Cloud Services to steal credentials

Researchers describe in a report that the attackers relied on Google Drive to host a malicious PDF document and Google’s “storage.googleapis[.]com” to host the phishing page. The spotted PDF was made to look like a gateway to content available through SharePoint web-based collaborative platform. Once the potential victim takes the bait and follows the Access Document link, the phishing page hosted in Google Cloud Platform loads asking to log in using Office 365 credentials or an organization’s ID.

Learn more >

Citrix vulnerability that allows remote hacking fixed

“By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process under the SYSTEM account,” researchers explain “Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying.”

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 21st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Welcome Chat, a malicious app bundled with spyware

The website of the application claims to be a secure chat plataform and available on the Google Play store, of which neither is true. In addition to monitoring the users' chat history, the malicious app also exfiltrates SMS and history logs, contact list, GPS, user photos, recorded calls and device information. There is evidence to believe that the app is not a 'trojanized app' and was developed with malicious intents from the start.

Learn more >

Latest Golden Chickens MaaS Tools Updates and Observed Attacks

Four new different attacks have been observed using malware as a service from the Golden Chickens portfolio throughout March and April that are now being declassified. The analysis concludes that the MaaS Operator Badbullzvenom is responsible for the creation and updates of some GC tools.

Learn more >

Windows machines infected again by Emotet-TrickBot malware

After over five months of inactivity, the Emotet Trojan woke up and started massive spam campaigns pretending to be payment reports, invoices, shipping information, and employment opportunities. These spam emails contain malicious documents that will install the Emotet trojan on the recipient's computer when opened and macros enabled.

Learn more >

F5 BIG-IP Networking Products still Unpatched

The vulnerability CVE-2020-5902 allows for remote execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the Traffic Management User Interface (TMUI). This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.

Learn more >

Windows 10 boot bug fixed

To prevent this issue, Microsoft is using an automated troubleshooter — instead of applying an update block — to prevent Disk Cleanup from launching on its own and causing boot issues until the users install the Windows version 19041.84 update which comes with a fix for this bug. "This troubleshooter automatically runs twice. It runs for the first time on all devices on Windows version 19041.21," Microsoft says. "It then runs again after devices are upgraded to Windows version 19041.84. This troubleshooter cannot be run manually."

Learn more >

SIGred Windows DNS bug gets micropatch

SIGRed stems from a flaw in how Microsoft implemented the DNS server role and affects all Windows DNS server versions starting 2003. Experts say that the official patch had three integer overflow/underflow checks, “for one subtraction and two addition operations.” The micropatch is similar but also detects logs and shows an exploit attempt when detecting the over/underflow.

Learn more >

New phishing campaing to steal login credentials from cloud services

The email imitates a “quarantined mail” notification frequently sent out in workplaces by email security products and spam filters, asking the user to “release” messages stuck in the queue. The “From:” (envelope) address in the email is listed as “noreply@servicedesk.com,” and while sender domains can easily be spoofed, the mail headers for this phishing campaign show that the email was sent through this domain.

Learn more >

1.2TB of user data exposed in VPNs data leakage

Seven Hong Kong-based VPN providers that include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Safe VPN, and Rabbit VPN, which appear to have as many as 20 million users worldwide have reportedly leaked their user data online. As per various media reports, the amount of user data from 20 million users can go as high as 1.2 TB of data. The exposure occurred due to the database hosted on an Elasticsearch cluster being left without any password.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   July 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New ATM “black box” attacks across Europe

A black box attack is when an intruder unfastens an ATM outer case to access its ports or cuts a hole in the casing for direct access to its internal wiring or other hidden connectors. Using these access points, the attacker then connects a "black box" device -- usually a laptop or Raspberry Pi board -- to the ATM's internal components, which they use to send commands to the ATM's cash dispenser and release cash from the storage cassettes.

Learn more >

Casting company data leakage of more than 10M records

An open Elasticsearch server was, hosted by Google Cloud, was discovered by some experts in the United States. The database was not secured via any form of authentication and in total, close to 10 million records were exposed. The database was 1GB in size and upon investigation, the team found that over 260,000 users of the website had their profiles leaked, including aspiring actors and potentially members of staff.

Learn more >

Google exposes a bug that show security alerts for TiVo devices

For the past two weeks, TiVO Stream 4K owners say that as soon as they link their account on the device, Google sends them an alert warning in their inboxes, warning that the device has extensive access to their personal data and that Google has not verified the device/app developer. In addition, the message also urges users to unlink their account from the device, an advice that some users have followed.

Learn more >

Russian hackers target COVID-19 research centers with malware

APT29 uses a variety of tools and techniques, including spear-phishing and custom malware known as “WellMess” and “WellMail”, according to some experts, who have also assessed that the hacking group “almost certainly operate[s] as part of Russian Intelligence Services.”

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 15th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Adobe’s Creative Cloud vulnerabilities fixed

These important severity vulnerabilities were found in Adobe ColdFusion and Adobe Genuine Service, and they affect both Windows and macOS devices running unpatched software versions. Adobe advises users to update the vulnerable apps to the latest versions to block attacks attempting to exploit unpatched installations.

Learn more >

New on the scene: Darkvision RAT

This new RAT, although new, offers a wide range of plug-ins and extra functionalities like keylogging, webcam and mic live capture, screen captures, reverse proxy, etc. All this functionalities are loaded separately in individual .dll files that are selectively delivered to the infected machine without the need to write them to disk.

Learn more >

Wattpad data breach exposes 270M user records

In an anonymous tip, it was told to some experts that this database was being sold by Shiny Hunters, a group known for selling company databases acquired in data breaches. At the same time, another firm exposed that this database was being sold for ten bitcoins, or almost $100,000 at the time. A few sample records of this database contain user names, names, hashed passwords, email addresses, and general geographic location.

Learn more >

Microsoft patches a 17-year-old “wormable” vulnerability in Windows DNS Server

By exploiting the flaw, "a hacker [can] craft malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure," the team says. CVE-2020-1350 affects all Windows Server versions from 2003 to 2019. The vulnerability exists due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled.

Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 14th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

AgeLocker Ransomware uses Google’s utility to encrypt files

According to the Age manual, the utility was designed as a replacement for GPG to encrypt "files, backups, and streams." Instead of creating a ransomware that utilizes commonly used encryption algorithms such as AES+RSA, the threat actors behind AgeLocker appear to be using the Age command line tool to encrypt a victim's files. Experts explained that Age uses the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms, which makes it a very secure method to encrypt a file.

 

Learn more >

 

RECON bug affecting over 40k customers patched

Short for Remotely Exploitable Code On NetWeaver, the vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to the company that found and responsibly disclosed RECON to the SAP Security Response Team. RECON is introduced due to the lack of authentication in an SAP NetWeaver AS for Java web component allowing for several high-privileged activities on the affected SAP system.

 

Learn more >

 

New ServHelper campaign installing a loud CryptoMiner

A backdoor named ServHelper, associated with TA505 has been detected installing CryptoMiners in compromised systems since at least January 2020. This miner hides itself in the system using a virtualized environment. When the unsuspecting victim executes the installer, ServHelper will first check if it's running on a virtualized environment to avoid being analyzed and if the current user has admin privileges or the windows version 10 is < 10147 so it escalate privilege using DLL hijacking.

 

Learn more >

 

Online auction platform breached more than 3M user records

LiveAuctioneers has confirmed a security incident after a database containing 3.4 million user records was put up for sale on the dark web for $2,500. “As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19,” the company said.

 

Learn more >