Unpatched Zoom App Bug Lets Hackers Steal Your Windows Password
Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic made it overnight a favorite tool for millions of people. Though Zoom is an efficient online video meeting solution, it’s still not the best choice in terms of privacy and security. According to the latest finding by cybersecurity expert @_g0dmode, which was also confirmed by researcher Matthew Hickey and Mohamed A. Baset, the Zoom client for Windows is vulnerable to the ‚UNC path injection‘ vulnerability that could let remote attackers steal login credentials for victims‘ Windows systems.
Source: The hacker news / Bleeping computer / Threatpost / BBC / Twitter #hackerfantastic
Link: https://thehackernews.com/2020/04/zoom-windows-password.html
Link: https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/
Link: https://www.bbc.com/news/technology-52126534
Link: https://www.bbc.com/news/business-52115434
Link: https://twitter.com/hackerfantastic/status/1245133371262619654
COVID-19: Hackers Begin Exploiting Zoom’s Overnight Success to Spread Malware
As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake „Zoom“ domains and malicious „Zoom“ executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check Point and shared with The Hacker News, over 1,700 new „Zoom“ domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone.
Source: The hacker news / Dark reading / Threatpost / Securityweek / Checkpoint blog
Link: https://thehackernews.com/2020/03/zoom-video-coronavirus.html
Link: https://threatpost.com/zoom-scrutinized-as-security-woes-mount/154305/
Link: https://www.securityweek.com/trojanized-zoom-apps-target-work-home-android-users
Link: https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/
WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers
Cybersecurity researchers today uncovered a sustained malicious campaign dating back to May 2018 that targets Windows machines running MS-SQL servers to deploy backdoors and other kinds of malware, including multi-functional remote access tools (RATs) and cryptominers. Named „Vollgar“ after the Vollar cryptocurrency it mines and its offensive „vulgar“ modus operandi, researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2020/04/backdoor-.html
Marriott Suffers Second Breach Exposing Data of 5.2 Million Hotel Guests
International hotel chain Marriott today disclosed a data breach impacting nearly 5.2 million hotel guests, making it the second security incident to hit the company in recent years.
„At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,“ Marriott said in a statement.
„We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.“
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Securityweek / Infosecurity magazine / Helpnet security
Link: https://thehackernews.com/2020/03/marriott-data-breach.html
Link: https://threatpost.com/millions-guests-marriott-data-breach-again/154300/
Link: https://www.securityweek.com/new-marriott-data-breach-impacts-52-million-guests
Link: https://www.infosecurity-magazine.com/news/new-marriott-data-breach-affects/
Link: https://www.helpnetsecurity.com/2020/04/01/marriott-data-breach-2020/
Hackers Exploit Zero-Day Bugs in Draytek Devices to Target Enterprise Networks
Cybersecurity researchers with Qihoo 360’s NetLab today unveiled details of two recently spotted zero-day cyberattack campaigns in the wild targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek.
According to the report, at least two separate groups of hackers exploited two critical remote command injection vulnerabilities (CVE-2020-8515) affecting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to eavesdrop on network traffic and install backdoors.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2020/03/draytek-network-hacking.html
Link: https://www.securityweek.com/vulnerabilities-draytek-enterprise-routers-exploited-attacks
How to Secure Your Zoom Meetings from Zoom-Bombing Attacks
Since countries have begun enforcing shelter-in-place and stay-at-home orders during the Coronavirus pandemic, the Zoom video conferencing software has become a popular way to keep in touch with friends and family, and even to join online fitness classes. However. with Zoom’s rise in popularity, a type of attack called ‚Zoom-bombing‘ has also seen more and more activity. Zoom-bombing is when someone gains unauthorized access to a Zoom meeting to harass the meeting participants in various ways to spread and hate and divisiveness, or to record pranks that will be later shown on social media.
Source: The hacker news / Bleeping computer / Threatpost / Trendmicro / FBI Boston
Link: https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-growing-nuisance/154187/
Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers
An unpatched bug in the latest version of Apple’s iOS is blocking virtual private network (VPN) applications from cloaking some private data transmitted between a device and the servers they are requesting data from. While the bug remains unpatched, Apple is suggesting steps users can take to reduce risk, researchers state. The bug, outlined in a report by ProtonVPN, impacts Apple’s most recent iOS 13.4. The flaw is tied to the way VPN security software loads on iOS devices. Post launch, VPN software is supposed to terminates all internet traffic and reestablishes connections as encrypted and protected. Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device’s IP address, exposing it for a limited window of time.
Source: Threatpost / Proton blog / Securityweek
Link: https://threatpost.com/apple-unpatched-vpn-bypass-bug-impacts-ios-13-warn-researchers/154232/
Link: https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/
Link: https://www.securityweek.com/no-patch-vpn-bypass-flaw-discovered-ios
Threat Spotlight – Trickbot: A primer
Trickbot remains one of the most sophisticated banking trojans in the landscape while constantly evolving. Highly modular, Trickbot can adapt to different environments with the help of its various modules. The group behind Trickbot has expanded their activities beyond credential theft into leasing malware to APT groups.
Source: TALOS intelligence blog
Link: https://blog.talosintelligence.com/2020/03/trickbot-primer.html#more
Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites
Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks, according to Cloudflare.
The web security and content delivery vendor analyzed UK traffic figures for the past four weeks compared to the previous month and noted a sharp uptick in malicious activity.
It revealed that hacking and phishing attempts were up 37% month-on-month, while on some days, the firm was blocking between four- and six-times the number of attacks it would usually see.
Source: Infosecurity magazine
Link: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/
LinkedIn OSINT Techniques: Part I
LinkedIn remains the go-to social media platform for job hunters and recruiters alike. Due to the nature of the platform and the high value of potentially landing a new gig, most users found on the website are providing, intentionally or not, real and attributable information about themselves. Investigators have a wealth of information that is often verifiable with little difficulty. Users walk a fine line between giving out too little information, or giving out too much information which may be detrimental to their, online and physical, safety and privacy.
Source: Secjuice
Link: https://www.secjuice.com/linkedin-osint-part-1/
Link: https://www.secjuice.com/linkedin-username-osint-tool/
Trends in Internet Exposure
More companies are going remote due to COVID-19 and as a result there’s been a lot of speculation around how this impacts the exposure of companies and the Internet as a whole (in terms of publicly-accessible services). I was actually already working on creating trends for various services due to a presentation I gave late last year so let me share with you some updated charts on how the Internet has evolved over the past few years (up to March 29, 2020).
Source: SHODAN blog
Link: https://blog.shodan.io/trends-in-internet-exposure/
FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
Hackers from the FIN7 cybercriminal group have been targeting various businesses with malicious USB devices acting as a keyboard when plugged into a computer. Injected commands download and execute a JavaScript backdoor associated with this actor. In a FLASH alert on Thursday, the FBI warns organizations and security professionals about this tactic adopted by FIN7 to deliver GRIFFON malware.
Source: Bleeping computer / Trustwave blog
Kwampirs threat actor continues to breach transnational healthcare orgs
The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned. Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted. “The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”
Source: Helpnet security / SANS internet storm center
Link: https://www.helpnetsecurity.com/2020/03/31/kwampirs/
Link: https://isc.sans.edu/forums/diary/Kwampirs+Targeted+Attacks+Involving+Healthcare+Sector/25968/