Table of Contents

  1. Zoom
    1. Ex-NSA hacker drops new zero-day doom for Zoom
    2. Zoom freezes feature development to fix security and privacy issues
    3. Zoom’s encryption has links to China, researchers discover
    4. DOJ Says Zoom-Bombing is Illegal, Could Lead to Jail Time
    5. Thousands of Zoom Video Calls Left Exposed on Open Web
    6. Zoom banned from SpaceX and New York City schools
  2. Leaks
    1. OGUsers - 263,189 breached accounts
    2. 42 million Iranian “Telegram” user IDs and phone numbers leaked online
    3. Malta voter list data breach
  3. Privacy
    1. Facebook wanted NSO spyware to monitor users, NSO CEO claims
    2. The EARN IT Act Violates the Constitution
    3. Twitter Reveals That Firefox Cached Private Data For Up to 7 Days
    4. Moscow To Launch New Surveillance App To Track Residents In Coronavirus Lockdown
  4. Politics
    1. Twitter deletes 20,000 fake accounts linked to Saudi, Serbian and Egyptian governments
    2. Bug Bounty Programs Are Being Used to Buy Silence
  5. Crime
    1. Coronavirus as a double-edged sword for cybercriminals: Desperation or opportunity?
    2. How I lost control of our bank accounts to a phone scammer
    3. A Hacker Has Wiped, Defaced More Than 15,000 Elasticsearch Servers
    4. Hacker Group Backdoors Thousands of Microsoft SQL Servers Daily
    5. Dark web hosting provider hacked again -- 7,600 sites down
  6. Phishing
    1. Latest Global COVID-19/Coronavirus Spearphishing Campaign Drops Infostealer
    2. Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways
    3. A curious phishing attempt
  7. Vulnerabilities
    1. Mozilla Patches Two Actively Exploited Firefox Zero-Days
    2. Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
    3. Apple Paid $75K For Bugs Letting Sites Hijack iPhone Cameras
    4. Use-After-Free Vulnerability in the VMware Workstation DHCP Component
    5. More Than 8,000 Unsecured Redis Instances Found in the Cloud
    6. Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks
  8. Malware
    1. Microsoft: Emotet Took Down a Network by Overheating All Computers
    2. GuLoader: Malspam Campaign Installing NetWire RAT
    3. New Coronavirus-Themed Malware Locks You Out of Windows
    4. AZORult brings friends to the party
    5. New Agent Tesla Variant Spreading by Phishing

Zoom

Ex-NSA hacker drops new zero-day doom for Zoom

A security researcher found two new bugs that can be used to take over a Zoom user's Mac, including tapping into the webcam and microphone. Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

Zoom freezes feature development to fix security and privacy issues

Zoom has been widely criticized over the past couple of weeks for terrible security, a poorly designed screensharing feature, misleading dark patterns, fake end-to-end-encryption claims and an incomplete privacy policy. Despite that, the video conferencing service has attracted a ton of new users thanks to the coronavirus lockdowns around the world --- the company reached 200 million daily active users last month. Zoom, an enterprise product designed for boring corporate meetings, has become a mainstream product with all the risks that it involves. That's why the company's CEO Eric S. Yuan has written a lengthy blog post to address some of the concerns around Zoom. Bruce Schneier has also written an article about privacy and security issues regarding Zoom.

Zoom’s encryption has links to China, researchers discover

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab --- widely followed in information security circles --- that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them. Hours after security researchers at Citizen Lab reported that some Zoom calls were routed through China, the video conferencing platform has offered an apology and a partial explanation.

DOJ Says Zoom-Bombing is Illegal, Could Lead to Jail Time

The Department of Justice and Offices of the United States Attorneys are warning that 'Zoom-bombing' is illegal and those who are involved can be charged with federal and state crimes. As more people are working from home or conducting distance learning due to the Coronavirus pandemic, the Zoom video conferencing software has become heavily utilized for remote meetings, online classrooms, exercise classes, and family and friend get-togethers. Since then, people have crashing, or Zoom-bombing, online meetings to record them as pranks to be shared on YouTube and TikTok or to spread hate, offensive images, and even threatening language. Zoom meeting IDs are also being traded and shared on Discord, Reddit, and hacker forums according to ZDNet where they are used to conduct Zoom-raids that hijack and disrupt an online meeting or class. Zoom has since decided to enable waiting rooms by default to stop Zoombombing. EFF has published an article on how to harden the Zoom settings to protect against some of the issues. Krebsonsecurity reports on zWarDial tool used to find valid meeting IDs that can be used by perpetators for Zoombombing.

Thousands of Zoom Video Calls Left Exposed on Open Web

Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing. From a report: Many of the videos appear to have been recorded through Zoom's software and saved onto separate online storage space without a password. But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch. Zoom videos are not recorded by default, though call hosts can choose to save them to Zoom servers or their own computers. There's no indication that live-streamed videos or videos saved onto Zoom's servers are publicly visible. But many participants in Zoom calls may be surprised to find their faces, voices and personal information exposed because a call host can record a large group call without participants' consent.

Zoom banned from SpaceX and New York City schools

Elon Musk's rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing "significant privacy and security concerns," according to a memo seen by Reuters, days after U.S. law enforcement warned users about the security of the popular app. Also, the New York City's teachers will have to scramble once more, after Department of Education Chancellor Richard Carranza announced that he had decided to ban Zoom, citing security and privacy issues with the platform.

Leaks

OGUsers - 263,189 breached accounts

In April 2020, the account hijacking and SIM swapping forum OGUsers suffered their second data breach in less than a year. As with the previous breach, the exposed data included email and IP addresses, usernames, private messages and passwords stored as salted MD5 hashes. A total of 263k email addresses across user accounts and other tables were posted to a rival hacking forum.

42 million Iranian “Telegram” user IDs and phone numbers leaked online

42 million records from a third-party version of messaging app Telegram used in Iran was exposed on the web without any authentication required to access it. Comparitech worked with security researcher Bob Diachenko to uncover and report the exposure, which included usernames and phone numbers, among other data. The data was posted by a group called "Hunting system" on an Elasticsearch cluster that required no password nor any other authentication to access. It was removed after Diachenko reported the incident to the hosting provider on March 25.

Malta voter list data breach

A massive cache of data which was leaked online is understood to have originated from the Labour Party and shows the voting preferences of a majority of the population. The personal information on some 337,384 people includes names, addresses, ID card details, phone numbers and whether they are considered Labour or Nationalist voters.

Privacy

Facebook wanted NSO spyware to monitor users, NSO CEO claims

Facebook representatives approached controversial surveillance vendor NSO Group to try and buy a tool that could help Facebook better monitor a subset of its users, according to an extraordinary court filing from NSO in an ongoing lawsuit. Facebook is currently suing NSO for how the hacking firm leveraged a vulnerability in WhatsApp to help governments hack users. NSO sells a product called Pegasus, which allows operators to remotely infect cell phones and lift data from them. According to a declaration from NSO CEO Shalev Hulio, two Facebook representatives approached NSO in October 2017 and asked to purchase the right to use certain capabilities of Pegasus.

The EARN IT Act Violates the Constitution

Since senators introduced the EARN IT Act in early March, EFF has called attention to the many ways in which the bill would be a disaster for Internet users' free speech and security. The bill also violates the Constitution's protections for free speech and privacy. As Congress considers the EARN IT Act---which would require online platforms to comply with to-be-determined "best practices" in order to preserve certain protections from criminal and civil liability for user-generated content under Section 230 (47 U.S.C. § 230)---it's important to highlight the bill's First and Fourth Amendment problems.

Twitter Reveals That Firefox Cached Private Data For Up to 7 Days

Twitter disclosed an issue in the way the Mozilla Firefox web browser cached data that may have lead to private media shared in DMs and data downloads being inadvertently stored in the browser's cache. If you use Firefox for browsing Twitter's platform, media files you privately shared within direct messages or Twitter data archive downloads could have been stored within the browser's cache. This means that threat actors could have stolen your private data using malicious tools designed to go through Firefox's cache, while anyone could have got their hands on your personal information if you ever logged in on Twitter from a public computer.

Moscow To Launch New Surveillance App To Track Residents In Coronavirus Lockdown

City authorities in Moscow are rolling out new digital "social monitoring" tools targeting the public, after what officials say were constant violations of the city's quarantine imposed this week to fight the spread of the new coronavirus. Under restrictions in place since Monday, most of the city's 12 million residents must remain indoors, barring a few exceptions - like trips to the supermarket or pharmacy, taking out the trash or briefly walking the dog. But starting Thursday, Muscovites will have their movements tracked through a mandatory app required on their smartphones. Don't have one? The city says it will lend out devices.

Politics

Twitter deletes 20,000 fake accounts linked to Saudi, Serbian and Egyptian governments

Twitter has deleted 20,000 fake accounts linked to the governments of Serbia, Saudi Arabia, Egypt, Honduras and Indonesia, saying they violated company policy and were a "targeted attempt to undermine the public conversation".

Bug Bounty Programs Are Being Used to Buy Silence

CSOonline has published an investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers.

Crime

Coronavirus as a double-edged sword for cybercriminals: Desperation or opportunity?

The ongoing COVID-19 (aka coronavirus) pandemic is having a highly detrimental effect on most businesses and organizations, yet companies linked with antibacterials and cleaning products, for example, will likely experience record sales. In yet another example of the dark web mirroring real life, the situation is no different in the cybercriminal underground. Digital Shadows has observed threat actors operating on cybercriminal forums and marketplaces expressing their worries and a sense of desperation as to how the pandemic will affect their established business models. Some are urgently trying to adapt their offerings to survive in this vastly changed landscape. Other cybercriminals see an opportunity to profit from mass hysteria and panic or take advantage of the increased online exposure that virus-tackling measures have inadvertently caused.

How I lost control of our bank accounts to a phone scammer

Blog post by Rob Griffiths detailing how he was scammed by phone and has lost control of his bank account in a complex fraud attempt.

A Hacker Has Wiped, Defaced More Than 15,000 Elasticsearch Servers

For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.

Hacker Group Backdoors Thousands of Microsoft SQL Servers Daily

Hackers have been brute-forcing thousands of vulnerable Microsoft SQL (MSSQL) servers daily to install cryptominers and remote access Trojans (RATs) since May 2018 as researchers at Guardicore Labs discovered in December. This attack campaign is still actively infecting between 2,000 and 3,000 MSSQL servers on a daily basis and it was dubbed Vollgar because the cryptomining scripts it deploys on compromised MSSQL will mine for Monero (XMR) and Vollar (VDS) cryptocurrency.

Dark web hosting provider hacked again -- 7,600 sites down

Daniel's Hosting, the largest free web hosting provider for dark web services, has shut down after getting hacked for the second time in 16 months, ZDNet has learned. Almost 7,600 dark web portals have been taken offline following the hack, during which an attacker deleted the web hosting portal's entire database.

Phishing

Latest Global COVID-19/Coronavirus Spearphishing Campaign Drops Infostealer

FortiGuard Labs recently discovered a new COVID-19/Coronavirus-themed spearphishing email that uses the World Health Organization (WHO) trademark in an attempt to convince recipients of its authenticity. The email contains the subject line "Coronavirus disease (COVID-19) Important Communication[.]". It also includes an attachment entitled "COVID~19~- WORLD HEALTH ORGANIZATION CDC~DOC~.zip.arj" that appears to contain additional information, but which in fact is a decoy. The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading. And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus.

Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways

A phishing campaign using Office 365 voicemail lures to trick them into visiting landing pages designed to steal their personal information or infect their computers with malware. The phishing emails delivered by the operators behind this series of attacks use the old trick of reversing some of the text elements in the source code and rendering forward within the email displayed to the target, with a twist: this time it involves using Cascading Style Sheets (CSS). Reversing text in an email's HTML code helps attackers bypass some automated text matching models used by Secure Email Gateways (SEG) use to differentiate between legitimate emails and phishing messages.

A curious phishing attempt

A customer of the Dutch bank bunq and a developer discovered a phishing attempt that only shows up in Bing ads when typed in 'bunq api' to the search bar.

Vulnerabilities

Mozilla Patches Two Actively Exploited Firefox Zero-Days

Mozilla released Firefox 74.0.1 and Firefox ESR 68.6.1 earlier to address two critical vulnerabilities actively abused in the wild that could lead to remote code execution on vulnerable machines. The two security flaws fixed today could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable Firefox versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert saying that "an attacker could exploit this vulnerability to take control of an affected system," and encouraging users to apply the security update.

Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet

Hoaxcalls, a new DDOS botnet, is actively exploiting two vulnerabilities which have wide exposure in environments around the world. These same vulnerabilities are also actively being exploited in additional attacks, according to other security research organizations. Unfortunately, they are also easily exploited and lead to remote code execution; as such we advise everyone to patch as soon as possible.

Apple Paid $75K For Bugs Letting Sites Hijack iPhone Cameras

Apple has paid a $75,000 bug bounty to a security researcher who chained together three different exploits that could have allowed malicious web sites to use your iPhone camera and microphone without permission.

Use-After-Free Vulnerability in the VMware Workstation DHCP Component

Ever since introducing the virtualization category at Pwn2Own in 2016, guest-to-host escapes have been a highlight of the contest. This year's event was no exception. Other guest-to-host escapes have also come through the ZDI program throughout the year. In fact, VMware released a patch for just such a bug less than a week prior to this year's competition. This blog post documents a vulnerability that affects the DHCP server component of VMware Workstation and could allow attackers to escalate privileges from a guest OS and execute code on the host OS.

More Than 8,000 Unsecured Redis Instances Found in the Cloud

Trendmicro discovered 8,000 Redis instances that are running unsecured in different parts of the world, even ones deployed in public clouds. These Redis instances have been found without Transport Layer Security (TLS) encryption and are not password protected. Redis, according to its developers, is originally intended to be used only in trusted environments. However, when left unsecured and allowed to be internet-facing or integrated into internet of things (IoT) devices, cybercriminals can find and abuse Redis servers to launch attacks such as SQL injections, cross-site scripting, malicious file uploads, and even remote code execution, among others. Threat actors can also view, access, and modify stored data in exposed Redis instances.

Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks

Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network. As part of their tracking of various groups behind human-operated ransomware attacks, Microsoft has seen one of the operations known as REvil (Sodinokibi) targeting vulnerabilities in VPN devices and gateway appliances to breach a network. Pulse VPN devices have been known to be targeted by threat actors, with this vulnerability thought to be behind the Travelex ransomware attack by REvil.

Malware

Microsoft: Emotet Took Down a Network by Overheating All Computers

Microsoft says that an Emotet infection was able to take down an organization's entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment. "After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization's core services," DART said.

GuLoader: Malspam Campaign Installing NetWire RAT

This blog reviews a recent distribution chain in March 2020 using Microsoft Word documents to distribute NetWire through GuLoader. We review the infection chain of events, examine the associated network traffic, and cover post-infection artifacts from an infected Windows host. This material is primarily helpful to Security Operations Center (SOC) personnel like front-line analysts and people who perform forensic investigations.

New Coronavirus-Themed Malware Locks You Out of Windows

With school closed due to the Coronavirus pandemic, some kids are creating malware to keep themselves occupied. Such is the case with a variety of new MBRLocker variants being released, including one with a Coronavirus theme. MBRLockers are programs that replace the 'master boot record' of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead. Last week, MalwareHunterTeam discovered the installer for a new malware with the name of "Coronavirus" being distributed as the COVID-19.exe file.

AZORult brings friends to the party

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There's also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.

New Agent Tesla Variant Spreading by Phishing

FortiGuard Labs captured a phishing email with an attachment that is being used to spread a new version of Agent Tesla. The analysis documents how this variant spreads in the victim's system, what data it steals from the victim's device, as well as how it submits that stolen data back to its command and control server.