Beyond Information Security

Hackers Created Thousands of Coronavirus (COVID-19) Related Sites As Bait

As the world comes to grips with the coronavirus pandemic, the situation has proven to be a blessing in disguise for threat actors, who’ve taken advantage of the opportunity to target victims with scams or malware campaigns. Now, according to a new report published by Check Point Research today and shared with The Hacker News, hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious Coronavirus-related domains and selling discounted off-the-shelf malware in the dark web.

Source: The hacker news

Link: https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html


Adobe Releases Critical Patches for Acrobat Reader, Photoshop, Bridge, ColdFusion

Though it’s not Patch Tuesday, Adobe today released a massive batch of out-of-band software updates for six of its products to patch a total of 41 new security vulnerabilities.

Adobe last week made a pre-announcement to inform its users of an upcoming security update for Acrobat and Reader, but the company today unveiled bugs in a total of 6 widely-used software, including:

  • Adobe Genuine Integrity Service
  • Adobe Acrobat and Reader
  • Adobe Photoshop
  • Adobe Experience Manager
  • Adobe ColdFusion
  • Adobe Bridge

According to the security advisories, 29 of the 41 vulnerabilities are critical in severity, and the other 11 have been rated important.

Source: The hacker news / Bleeping computer / Threatpost / Securityweek / Adobe Security Bulletin / Helpnetsecurity

Link: https://thehackernews.com/2020/03/adobe-software-update.html

Link: https://www.bleepingcomputer.com/news/security/adobe-fixes-nine-critical-vulnerabilities-in-reader-acrobat/

Link: https://threatpost.com/critical-adobe-photoshop-acrobat-reader-flaws/153902/

Link: https://www.securityweek.com/adobe-patches-critical-flaws-reader-coldfusion-other-products

Link: https://helpx.adobe.com/security/products/acrobat/apsb20-13.html

Link: https://www.helpnetsecurity.com/2020/03/18/adobe-security-fixes-march-2020/


TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks

A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet. The module, dubbed „rdpScanDll,“ was discovered on January 30 and is said to be still in development, said cybersecurity firm Bitdefender in a report shared with The Hacker news. According to the researchers, the rdpScanDll brute-forcing module has so far attempted to target 6,013 RDP servers belonging to enterprises in telecom, education, and financial sectors in the U.S. and Hong Kong. The malware authors behind TrickBot specialize in releasing new modules and versions of the Trojan in an attempt to expand and refine its capabilities.

Source: The hacker news / Threatpost / SANS internet storm center

Link: https://thehackernews.com/2020/03/trickbot-malware-rdp-bruteforce.html

Link: https://threatpost.com/trickbot-trojan-rdp-brute-forcing/153915/

Link: https://isc.sans.edu/forums/diary/Trickbot+gtag+red5+distributed+as+a+DLL+file/25918/


Most Ransomware Gets Executed Three Days After Initial Breach

Ransomware gets deployed three days after an organization’s network gets infiltrated in the vast majority of attacks, with post-compromise deployment taking as long as 299 days in some of the dozens of attacks researchers at cybersecurity firm FireEye examined between 2017 and 2019. In 75% of all ransomware incidents, as they found, the attackers will delay encrypting their victims‘ systems and will use that time to steal Domain Admin credentials that they can later use to distribute the ransomware payloads throughout the compromised environment. More recently, ransomware operators have also started to harvest and exfiltrate their victims‘ data, later using it as leverage to make them pay the ransoms under the threat of leaking the stolen information.

Source: Bleeping computer / Securityweek / Fireeye blog

Link: https://www.bleepingcomputer.com/news/security/most-ransomware-gets-executed-three-days-after-initial-breach/

Link: https://www.securityweek.com/ransomware-mostly-deployed-after-hours-report

Link: https://www.fireeye.com/blog/threat-research/2020/03/they-come-in-the-night-ransomware-deployment-trends.html


COVID-19 Testing Center Hit By Cyberattack

Hospitals around the world struggle with ever-growing waves of COVID-19 infections but the efforts in one testing center in Europe are being hampered by cybercriminal activity. Computer systems at the University Hospital Brno in the Czech Republic have been shut down on Friday due to a cyberattack that struck in the wee hours of the day. This comes at a time when there are more than 140 confirmed infections in the country and around 4,800 people in quarantine. The government has declared a state of emergency and imposed stern restrictions on crossing the border.

Source: Bleeping computer / Helpnet security

Link: https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/

Link: https://www.helpnetsecurity.com/2020/03/18/healthcare-cybersecurity-coronavirus/


(Last) Week in Ransomware – March 13th 2020 – Stay Safe

This has been a slow week in terms of new variants, but we continue to see enterprise-targeting ransomware operators threatening to release data for non-paying victims. With Coronavirus on everyone’s minds, malware developers have turned to campaigns utilizing COVID-19 themed phishing scams or malware to take advantage of the panic and anxiety induced by the outbreak. Of particular interest, are two ransomware infections called CoronaVirus Ransomware and CovidLock that use the outbreak as a theme for their infections.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-13th-2020-stay-safe/


Nation-Backed Hackers Spread Crimson RAT via Coronavirus Phishing

A state-sponsored threat actor is attempting to deploy the Crimson Remote Administration Tool (RAT) onto the systems of targets via a spear-phishing campaign using Coronavirus-themed document baits disguised as health advisories. This nation-backed cyber-espionage is suspected to be Pakistan-based and it is currently tracked under multiple names including APT36, Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis. The group, active since at least 2016, is known for targeting Indian defense and government entities and for stealing sensitive info designed to bolster Pakistan’s diplomatic and military efforts.

Source: Bleeping computer / Threatpost / Securityweek

Link: https://www.bleepingcomputer.com/news/security/nation-backed-hackers-spread-crimson-rat-via-coronavirus-phishing/

Link: https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/

Link: https://www.securityweek.com/covid-19-themed-phishing-campaigns-continue


Trend Micro Patches Two Zero-Days Under Attack

Businesses are urged to update the Apex One and OfficeScan XG enterprise security products as soon as possible. Trend Micro has issued critical patches for several vulnerabilities in its Apex One and OfficeScan XG enterprise security products. Attackers have tried to exploit at least two of these flaws. CVE-2020-8467, one of the two zero-days, is a critical remote code execution vulnerability in a migration tool component in Apex One and OfficeScan. This could allow remote attackers to execute arbitrary code in affected installations. The second zero-day, CVE-2020-8468, is a content validation escape flaw that could let an attacker manipulate certain agent client components. Both of these require valid user credentials for exploitation, Trend Micro reports.

Source: Dark reading / Threatpost / Securityweek / Infosecurity magazine / Trendmicro / Helpnet security

Link: https://www.darkreading.com/vulnerabilities—threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338

Link: https://threatpost.com/trend-micro-fixes-critical-flaws-under-attack/153911/

Link: https://www.securityweek.com/trend-micro-patches-two-vulnerabilities-exploited-wild

Link: https://www.infosecurity-magazine.com/news/trend-micro-finds-and-fixes/

Link: https://success.trendmicro.com/solution/000245571

Link: https://www.helpnetsecurity.com/2020/03/18/trend-micro-zero-days-enterprise/


Working from Home: COVID-19’s Constellation of Security Challenges

Organizations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges. As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one. As organizations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors.

Source: Threatpost

Link: https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/


The Insecurity of WordPress and Apache Struts

A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.

The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week by risk analysis firm RiskSense.

Source: Bruce Schneier on security / RISK sense / ZDnet / Helpnet security

Link: https://www.schneier.com/blog/archives/2020/03/the_insecurity_.html

Link: https://www.zdnet.com/article/wordpress-and-apache-struts-account-for-55-of-all-weaponized-vulnerabilities/

Link: https://www.helpnetsecurity.com/2020/03/17/weaponized-vulnerabilities/


Secjuice Squeeze Volume 17

Welcome to the 17th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you every week. This week’s volume compiled by Secjuice writers Mike Peterson and Miguel Calles.

Source: Secjuice

Link: https://www.secjuice.com/infosec-news-squeeze-vol-17/


5 tips for a cybersecure home office experience

If the coronavirus has you working from home for the next few weeks, don’t forget about cybersecurity best practices that can help defend against a cyberattack.

Source: ESET security blog

Link: https://www.eset.com/blog/business/5-tips-for-a-cybersecure-home-office-experience/


How CISOs Should Prepare for Coronavirus Related Cybersecurity Threats

The Coronavirus is hitting hard on the world’s economy, creating a high volume of uncertainty within organizations. Cybersecurity firm Cynet today revealed new data, showing that the Coronavirus now has a significant impact on information security and that the crisis is actively exploited by threat actors.

Source: The hacker news

Link: https://thehackernews.com/2020/03/coronavirus-cybersecurity-ciso.html