Table of Contents

  1. Zoom
    1. India says Zoom 'not a safe platform' for video conferencing
    2. Zoom to let you report Zoom-bombing attackers crashing meetings
  2. Malware
    1. Fake Valorant beta key generators are stealing gamers' passwords
    2. Hackers steal WiFi passwords using upgraded Agent Tesla malware
    3. PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors
  3. Breaches
    1. Security lapse exposed Clearview AI source code
    2. Wappalyzer reveals data breach after hacker disclosed incident to customers
  4. Phishing
    1. Gmail blocked 18M COVID-19-themed phishing emails in a week
    2. Sipping from the Coronavirus Domain Firehose
    3. Slack phishing attacks using webhooks
  5. Vulnerabilities
    1. Auth0 JWT Auth Bypass: Case-Sensitive Blacklisting Is Harmful
    2. CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification
  6. Privacy
    1. California Needlessly Reduces Privacy During COVID-19 Pandemic
  7. Scams
    1. Romance Scams and Business Email Compromise in the Time of Coronavirus
  8. Misc
    1. Pastebin Made It Harder To Scrape Its Site And Researchers Are Pissed Off

Zoom

India says Zoom 'not a safe platform' for video conferencing

India said on Thursday videoconferencing software Zoom is "not a safe platform", joining other countries that have expressed concern about the security of an application that has become hugely popular worldwide during the coronavirus lockdown.

Zoom to let you report Zoom-bombing attackers crashing meetings

Zoom's efforts to improve the video conferencing platform's privacy and security will continue next week with the introduction of a user report feature aimed at helping prevent future zoom-bombing attacks. The highlight of next week's incoming improvements is the addition of a new 'Report a User' feature to Zoom's video conferencing platform, accessible via the newly introduced Security icon added to the lower toolbar.

Malware

Fake Valorant beta key generators are stealing gamers' passwords

With Riot Game's new eagerly anticipated tactical FPS game Valorant reaching closed beta, gamers around the world have been scrambling to get an invite so that they can start playing the game before its released. As always, when something becomes popular or newsworthy, threat actors try to capitalize on it. Soon after Valorant entered closed beta on April 7th, malware samples began to be released that targets users who are trying to play the game or get beta keys. Most of the malware BleepingComputer has seen being installed are information-stealing trojans that will steal a victim's browser history, saved logins and passwords in browsers, SSH keys, and FTP accounts.

Hackers steal WiFi passwords using upgraded Agent Tesla malware

Some new variants of the Agent Tesla info-stealer malware now come with a dedicated module for stealing WiFi passwords from infected devices, credentials that might be used in future attacks to spread to and compromise other systems on the same wireless network. The new samples are heavily obfuscated and are designed by the malware's author to collect wireless profile credentials from compromised computers by issuing a netsh command with a wlan show profile argument for listing all available WiFi profiles. To get the WiFi passwords from the discovered SSIDs, the Agent Tesla info-stealer issues a new netsh command adding the SSID and a key=clear argument to show and extract the password in plain text for each profile as Malwarebytes' Threat Intelligence team found.

PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors

Cisco Talos has discovered a new malware campaign based on a previously unknown family they're calling "PoetRAT." At this time, they do not believe this attack is associated with an already known threat actor. Research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus they believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.

Breaches

Security lapse exposed Clearview AI source code

The controversial facial recognition startup allows its law enforcement users to take a picture of a person, upload it and match it against its alleged database of 3 billion images, which the company scraped from public social media profiles. But for a time, a misconfigured server exposed the company's internal files, apps and source code for anyone on the internet to find. Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview's source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

Wappalyzer reveals data breach after hacker disclosed incident to customers

Wappalyzer, a company that specializes in software that uncovers technologies used on websites by detecting ecommerce platforms, web frameworks, server software and analytics tools, reported a security breach earlier this week after a cyber-thief sent emails to users. It appears that the company became aware of the incident in January 2020, but it chose not to disclose it. Shortly after Wappalyzer customers received an email from the bad actor responsible for the breach, the company confirmed the incident to its clients in an email notification.

Phishing

Gmail blocked 18M COVID-19-themed phishing emails in a week

Google says that the malware scanners built within the Gmail free email service blocked around 18 million phishing and malware emails using COVID-19 lures within the last week. "Every day, Gmail blocks more than 100 million phishing emails," Gmail Security PM Neil Kumaran and G Suite & GCP Lead Security PM Sam Lugani explain. "During the last week, we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages."

Sipping from the Coronavirus Domain Firehose

Security experts are poring over thousands of new Coronavirus-themed domain names registered each day, but this often manual effort struggles to keep pace with the flood of domains invoking the virus to promote malware and phishing sites, as well as non-existent healthcare products and charities. As a result, domain name registrars are under increasing pressure to do more to combat scams and misinformation during the COVID-19 pandemic. By most measures, the volume of new domain registrations that include the words "Coronavirus" or "Covid" has closely tracked the spread of the deadly virus. The Cyber Threat Coalition (CTC), a group of several thousand security experts volunteering their time to fight COVID-related criminal activity online, recently published data showing the rapid rise in new domains began in the last week of February, around the same time the Centers for Disease Control began publicly warning that a severe global pandemic was probably inevitable.

Slack phishing attacks using webhooks

Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body, and a destination channel, you can send a message to any webhook that you know the URL for in any workspace, regardless of membership. AT&T security has written a post on how Slack Webhooks can be abused for "phishing attacks".

Vulnerabilities

Auth0 JWT Auth Bypass: Case-Sensitive Blacklisting Is Harmful

Insomniasec discovered an authentication bypass vulnerability in Auth0's Authentication API. The following outlines the vulnerability was found and led to an advisory.

CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification

This blog explains the technical details of an exploit using the Linux eBPF feature to achieve local privilege escalation. This bug has been assigned CVE-2020-8835 and was patched on March 30, 2020.

Privacy

California Needlessly Reduces Privacy During COVID-19 Pandemic

On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth mediums.

Scams

Romance Scams and Business Email Compromise in the Time of Coronavirus

Law enforcement agencies around the world are reporting a surge in romance scams as fraudsters seek to cash in on the profound loneliness many people are feeling due to social distancing amid the coronavirus pandemic. Those who fall prey could face financial ruin or get conned into criminal acts. But banks and other businesses could lose millions in the process. According to data from the Federal Trade Commission, consumers in the US alone lost $201 million to romance scams in 2019. That's a 40% increase from the previous year. It's also six times higher than the $33 million lost to such crimes in 2015. Factor in the volatile mix of stress, economic anxiety, and social isolation so many are experiencing thanks to the COVID-19 outbreak, and those figures may be about to hit the stratosphere. If they do, it'll also be just the start of it.

Misc

Pastebin Made It Harder To Scrape Its Site And Researchers Are Pissed Off

The most famous paste site, used by hackers of all stripes to host lists of stolen passwords, announcements of data breaches, and malware has made it harder for security researchers to scrape it looking for that kind of information. And security researchers are pissed off. Pastebin is one of the most famous websites that allows anyone, even without being registered, to "paste" any kind of text and make it public. Over the years, it became a repository for all kinds of unsavory data, such as the personal details of people who got doxed by hackers, leaked passwords, hacker manifestos, and even malware payloads. Naturally, this meant it was a treasure trove for security researchers investigating data breaches or hunting hackers.