Table of Contents

  1. APT
    1. North Korean hackers infect real 2FA app to compromise Macs
    2. The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
    3. Targeted Attack on Indian Government and Financial Institutions Using the JsOutProx RAT
  2. Breaches
    1. ‘Our data is secure’: Bukalapak denies reports of user data breach
    2. Hacker group floods dark web with data stolen from 11 companies
    3. Hackers' private chats leaked in stolen WeLeakData database
    4. Archer supercomputer is down due to a security exploitation
    5. HEPACO, LLC Provides Notice Of Data Privacy Incident
    6. Latest Nova Scotia privacy breach reveals names, medical conditions, sexual abuse details
  3. Malware
    1. Microsoft and Intel project converts malware into images before analyzing it
    2. Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
    3. US govt exposes new North Korean malware, phishing attacks
    4. Researcher finds 1,236 websites infected with credit card stealers
    5. Zeus Sphinx Back in Business: Some Core Modifications Arise
    6. New Ramsay malware can steal sensitive documents from air-gapped networks
  4. Vulnerabilities
    1. When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security
    2. WordPress plugin Page Builder by SiteOrigin patched against code execution attacks
    3. Ubuntu installer logs LUKS password in cleartext
    4. May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical
    5. DHS CISA and FBI share list of top 10 most exploited vulnerabilities
  5. Ransomware
    1. Healthcare giant Magellan Health hit by ransomware attack
    2. Texas courts slammed by ransomware attack
    3. Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months
    4. Ransomware Hit ATM Giant Diebold Nixdorf
  6. Phishing
    1. YouTube Account Recovery Phishing
  7. Scams
    1. RevenueWire to pay $6.7 million to settle FTC charges
    2. Las Vegas woman charged with operating identity theft lab
  8. Crime
    1. Iran reports failed cyber-attack on Strait of Hormuz port
    2. Gautrain IT technician illegally installed spyware
  9. Privacy
    1. U.S. FTC indicates it is looking at Zoom privacy woes
  10. Misc
    1. The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet
    2. Google removed 813 creepware apps from the Android Play Store
    3. Towards a Layperson's Security
    4. NSO Group Pitched Phone Hacking Tech to American Police

APT

North Korean hackers infect real 2FA app to compromise Macs

Hackers have hidden malware in a legitimate two-factor authentication (2FA) app for macOS to distribute Dacls, a remote access Trojan associated with the North Korean Lazarus group. Dacls has been used to target Windows and Linux platforms and the recently discovered RAT variant for macOS borrows from them much of the functionality and code. The threat actor planted the malware in the freely available MinaOTP application that is prevalent among Chinese users. A sample of its weaponized version with the name TinkaOTP was uploaded from Hong Kong last month to the VirusTotal scanning service.

The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration

Sentinelone has written an article detailing malicious activity they discovered in one of their clients. The APT actor has entered the company through their Citrix server using stolen credentials, and has moved laterally by running a CobaltStrike Beacon stager.

Targeted Attack on Indian Government and Financial Institutions Using the JsOutProx RAT

In April 2020, ThreatLabZ observed several instances of targeted attacks on Indian government establishments and the banking sector. Emails were sent to organisations, such as the Reserve Bank of India (RBI), IDBI Bank, the Department of Refinance (DOR) within the National Bank for Agriculture and Rural Development (NABARD) in India with archive file attachments containing JavaScript and Java-based backdoors. Further analysis of the JavaScript-based backdoor correlated it to the JsOutProx RAT, which was used for the first time by a threat actor in December 2019 as mentioned by Yoroi. The Java-based RAT provided functionalities similar to the JavaScript-based backdoor in this attack. This blog article describes in detail the email attack vector of this targeted campaign, the technical analysis of the discovered backdoors, and our conclusions on this attack.

Breaches

‘Our data is secure’: Bukalapak denies reports of user data breach

Homegrown e-commerce platform Bukapalak has denied reports that the data of millions of its users were compromised and sold on the dark web. This came only days after e-commerce unicorn Tokopedia was reported to have faced an internal system breach. The personal data of around 13 million Bukalapak users, including usernames, email addresses and encrypted passwords, are being sold for an undisclosed price on data-exchange platform RaidForum. "After an internal investigation, we found that the reports currently circulating were sourced from a data breach attempt last year. There have been no new incidents," Bukalapak corporate communication head Intan Wibisono told The Jakarta Post on Wednesday.

Hacker group floods dark web with data stolen from 11 companies

A hacking group has started to flood a dark web hacking marketplace with databases containing a combined total of 73.2 million user records over 11 different companies. For the past week, a hacking group known as Shiny Hunters has been busy selling a steady stream of user databases from alleged data breaches. It started last weekend with Tokopedia, Indonesia's largest online store, where a database of over 90 million user records was being sold. Soon after, Shiny Hunters began selling a database of 22 million user records for Unacademy, one of India's largest online learning platforms. After being contacted by BleepingComputer, the company released a statement that their company was breached. On Wednesday, Shiny Hunters continued their rampage by claiming to hack into Microsoft's GitHub account earlier this year and leaking files from the company's private source code repositories.

Hackers' private chats leaked in stolen WeLeakData database

Ironically, the database for the defunct hacker forum and data breach marketplace called WeLeakData.com is being sold on the dark web and exposes the private conversations of hackers who used the site. WeLeakData.com was a hacker forum and marketplace that primarily focused on discussing, trading, and selling databases that were stolen during data breaches and combolists that are used in credential stuffing attacks.

Archer supercomputer is down due to a security exploitation

A major issue is happening across the academic community as several computers have been compromised in the UK and elsewhere in Europe. They have been working with the National Cyber Security Centre (NCSC) and Cray/HPE in order to better understand the position and plan effective remedies. Unfortunately, due to the severity of the situation, the ARCHER Service will not be returned before Friday 15th May.

HEPACO, LLC Provides Notice Of Data Privacy Incident

On August 20, 2019, HEPACO became aware of suspicious activity relating to certain employee email accounts. HEPACO immediately launched an investigation, with the aid of forensic experts, to determine the nature and scope of the activity. The investigation determined that an unauthorized actor accessed certain employee email accounts between August 8, 2019 and October 24, 2019. HEPACO undertook a lengthy and labor-intensive process to identify the personal information contained in the affected email accounts, and then reviewed its internal records to locate the appropriate mailing addresses for the impacted individuals. HEPACO is providing notice to the individuals whose information was present in the affected email accounts at the time of the incident and may have been viewed by the unauthorized actor.

Latest Nova Scotia privacy breach reveals names, medical conditions, sexual abuse details

The Nova Scotia government is saying very little about another privacy breach, this one involving an unknown number of Workers' Compensation Board appeal decisions that include the names of workers and some intimate personal information about them. The government removed the documents after being informed by CBC that the decisions were unredacted and contained workers' names and their personal information, as well as the names of their employers. "It's terrible to hear. I was shocked more than anything," said one of the workers whose long-forgotten 2009 Workers Compensation Appeals Tribunal (WCAT) decision was posted with his name as well as personal information about his health, medications and family.

Malware

Microsoft and Intel project converts malware into images before analyzing it

Microsoft and Intel have recently collaborated on a new research project that explored a new approach to detecting and classifying malware. Called STAMINA (STAtic Malware-as-Image Network Analysis), the project relies on a new technique that converts malware samples into grayscale images and then scans the image for textural and structural patterns specific to malware samples. The Intel-Microsoft research team said the entire process followed a few simple steps. The first consisted of taking an input file and converting its binary form into a stream of raw pixel data. Researchers then took this one-dimensional (1D) pixel stream and converted it into a 2D photo so that normal image analysis algorithms can analyze it.

Updated BackConfig Malware Targeting Government and Military Organizations in South Asia

Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia. The BackConfig custom Trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads.

US govt exposes new North Korean malware, phishing attacks

The US government released information on three new malware variants used in malicious cyber activity campaigns by a North Korean government-backed hacker group tracked as HIDDEN COBRA. The new malware is being used "for phishing and remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions" according to the information published by Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD). U.S. Cyber Command has also uploaded five samples of the newly discovered malware variants onto the VirusTotal malware aggregation repository.

Researcher finds 1,236 websites infected with credit card stealers

A security researcher collected in a span of a few weeks over 1,000 domains infected with payment card skimmers, showing that the MageCart continues to be a prevalent threat that preys on insecure web shops. MageCart was first spotted over a decade ago by cybersecurity company RiskIQ but attacks have grown rampant over the past two years when big-name companies were hit - British Airways, Ticketmaster, OXO, Newegg. Since then, automated systems tuned specifically to detect this type of threat found hundreds of thousands of websites that had on checkout pages malicious JavaScript designed to steal card data from shoppers.

Zeus Sphinx Back in Business: Some Core Modifications Arise

The Zeus Sphinx banking Trojan is financial malware that was built upon the existing and leaked codebase of the forefather of many other Trojans in this class: Zeus v2.0.8.9. Over the years, Sphinx has been in different hands, initially offered as a commodity in underground forums and then suspected to be operated by various closed gangs. After a lengthy hiatus, this malware began stepping up attack campaigns starting in late 2019 and increased its spreading power in the first quarter of 2020 via malspam featuring coronavirus relief payment updates. With Sphinx back in the financial cybercrime arena, IBM X-Force wrote the following technical analysis of the Sphinx Trojan's current version, which was first released into the wild in late 2019.

New Ramsay malware can steal sensitive documents from air-gapped networks

Researchers from cybersecurity firm ESET announced that they discovered a never-before-seen malware framework with advanced capabilities that are rarely seen today. Named Ramsay, ESET says this malware toolkit appears to have been designed to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration opportunity. The Ramsay discovery is an important one because we rarely see malware that contains the capability to jump the air gap, considered the strictest and most effective security protection measure that companies can take to safeguard sensitive data.

Vulnerabilities

When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep. Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow the best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

WordPress plugin Page Builder by SiteOrigin patched against code execution attacks

The Wordfence Threat Intelligence team discovered the bugs on May 4. Both of the vulnerabilities in the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator's browser," according to the researchers, although an admin did need to click a malicious link or attachment to trigger the attack chain. The issues have yet to be assigned CVE numbers. However, both are deemed critical. The first vulnerability, a cross-site request forgery (CSRF) to reflected cross-site scripting (XSS) vulnerability, was found in the plugin's live editor feature. The live editor is used to create and update post content, as well as drag and drop widgets. Changes made to content are sent via a POST parameter and checks in metadata functions are performed to make sure users have permission to edit posts. However, there were no nonce protections in place. As a result, some widgets including "Custom HTML" could be used to inject malicious JavaScript into a rendered live page. If a crafted live preview page containing this compromised widget was accessed by an administrator, this led to the CSRF / reflected XSS flaw.

Ubuntu installer logs LUKS password in cleartext

A bug was fixed in Ubuntu installer that logged the encryption password used for full disk encryption in cleartext in system logs.

May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical

With the release of the May 2020 Patch Tuesday security updates, Microsoft has released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low. This month there are no zero-day or unpatched vulnerabilities. Users should install these security updates as soon as possible to protect Windows from known security risks. For years, Microsoft Defender has been able to detect and remove PUAs, but only after the feature was manually enabled via PowerShell or through Group Policies. With the May 2020 Update, Microsoft is finally making it easy to detect potentially unwanted programs and tightly integrating it into the operating system.

DHS CISA and FBI share list of top 10 most exploited vulnerabilities

Two US cyber-security agencies published a list of the top 10 most commonly exploited software vulnerabilities across the last four years, between 2016 and 2019. The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Federal Bureau of Investigation (FBI), urges organizations in the public and private sector to apply necessary updates in order to prevent the most common forms of attacks encountered today.

Ransomware

Healthcare giant Magellan Health hit by ransomware attack

Fortune 500 company Magellan Health Inc announced that it was the victim of a ransomware attack on April 11, 2020, which led to the theft of personal information from one of its corporate servers. Magellan Health is a for-profit managed health care and insurance firm that ranks 417 on the Fortune 500 list of the largest US corporations by total revenue. Magellan's customers include health plans and other managed care organizations, labor unions, employers, military and governmental agencies, as well as third-party administrators.

Texas courts slammed by ransomware attack

Texas has revealed a ransomware attack launched against its court system but insists no ransom will be paid. According to a statement issued on Monday by the Office of Court Administration (OCA), later posted on Twitter, the attack took place overnight last Thursday and was discovered on Friday morning. The agency is responsible for providing IT services to the Texan court system. The malware made its way through the OCA's branch network, and as soon as the ransomware was spotted, linked servers and websites were disabled in an attempt at damage limitation.

Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months

Global business services company Pitney Bowes recently stopped an attack from Maze ransomware operators before the encryption routine could be deployed but the actor still managed to steal some data. This is the second ransomware attack in the past seven months. The incident came to light today after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company's network. The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company's computer network.

Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations. The company says the hackers never touched its ATMs or customer networks, and that the intrusion only affected its corporate network. According to Diebold, on the evening of Saturday, April 25, the company's security team discovered anomalous behavior on its corporate network. Suspecting a ransomware attack, Diebold said it immediately began disconnecting systems on that network to contain the spread of the malware. Sources told KrebsOnSecurity that Diebold's response affected services for over 100 of the company's customers. Diebold said the company's response to the attack did disrupt a system that automates field service technician requests, but that the incident did not affect customer networks or the general public. An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months.

Phishing

YouTube Account Recovery Phishing

Sucuri team has discovered a phishing attack targeting YouTube creators. The phishing campaign, which was initially discovered on a compromised WordPress website, is made up of two pages responsible for harvesting and sending along the victim's stolen username, password, and recovery phone number.

Scams

RevenueWire to pay $6.7 million to settle FTC charges

A Canadian company, RevenueWire, and its CEO, Roberta Leach, will pay $6.75 million to settle Federal Trade Commission charges they laundered credit card payments for, and assisted and facilitated, two tech support scams previously sued by the FTC. "Finding ways to get paid -- without getting caught -- is essential for scammers who steal money from consumers," said Andrew Smith. "And that's exactly what RevenueWire did for tech support scammers when it laundered their transactions through the credit card system."

Las Vegas woman charged with operating identity theft lab

A Las Vegas woman is charged with operating an identity theft lab after police said they found a cache of stolen mail, medical records from cancer patients and Social Security numbers in her possession. Las Vegas Justice Court records show that Diane Dove, 40, faces a single felony count of establishing or possessing a financial forgery laboratory with intent to commit an unlawful act. The case originated in November, when Las Vegas police were called to a home on Hartman Street, near North Rainbow Boulevard and West Craig Road in Las Vegas. An arrest report for Dove states that police went to the apartment for a "domestic disturbance" involving Dove and two women. Dove was arrested on a misdemeanor charge of domestic battery. While investigating, police said, they found a trove of other individuals' financial documents in the apartment.

Crime

Iran reports failed cyber-attack on Strait of Hormuz port

Iranian officials said on Sunday that hackers damaged a few computers in a failed cyberattack against the port of Bandar Abbas, the country's largest port in the Strait of Hormuz. Details about the cyberattack's nature remain unknown. Last week, when the attack took place, local officials from the Ports and Maritime Organization (PMO) in the state of Hormozgan denied that anything had gone wrong. Officials denied rumors about a cyberattack despite complaints of port activity shutting down on Friday. Central government officials eventually came clean about the cyber-attack on Sunday, due to media pressure following an unrelated incident that also took place in the Strait of Hormuz.

Gautrain IT technician illegally installed spyware

A Gautrain technician has been sentenced to 10 years imprisonment for the unlawful installation of spyware to desktop and laptop computers at the Gautrain Management Agency in Midrand. Information technology technician Obakeng Israel Busang, contracted to Gautrain, was sentenced in the Johannesburg Specialised Commercial Crimes Court following a guilty plea. National Prosecuting Authority (NPA) spokesperson Phindi Mjonond- wane said that during the initial stages of plea and trial, Busang pleaded not guilty. He later changed his plea to that of guilty and made admissions as he realised the evidence against him was overwhelming.

Privacy

U.S. FTC indicates it is looking at Zoom privacy woes

Federal Trade Commission Chairman Joseph Simons indicated on Monday that the agency was looking at privacy complaints regarding Zoom Video Communications Inc. In a teleconference with lawmakers, Simons made reference to concerns that Representative Jerry McNerney of California had about Zoom. McNerney and others had written a letter to Zoom expressing concerns about information collected about registered and non-registered users and recordings made by Zoom subscribers which may be stored in the cloud. While not addressing the question of Zoom directly, Simons said the agency takes its complaints seriously. "We are very happy to take complaints from any source," he said. "If you're reading about it (an issue) in the press, in the media, then you can be assured that we're looking at it already, or we will because of the media attention. If it's out there in the media, we're on it."

Misc

The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet

At 22, he single-handedly put a stop to the worst cyberattack the world had ever seen. Then he was arrested by the FBI. This is his untold story.

Google removed 813 creepware apps from the Android Play Store

Google has removed last year a batch of 813 "creepware" apps from the official Android Play Store following a report from a group of academics studying stalkerware-like apps. The research behind last year's report has now been published online this month in a paper titled "The Many Kinds of Creepware Used for Interpersonal Attacks." In the paper, academics from the New York University, Cornell Tech, and NortonLifeLock (formerly Symantec) analyzed so-called "creepware" apps. The term creepware refers to mobile apps that don't possess the full features of a spyware or stalkerware product, but they can still be used to stalk, harass, defraud, or threaten another person, directly or indirectly.

Towards a Layperson's Security

Interesting blog post by Andrey Fedorov presenting a security model for nontechical people to understand the security landscape and what kind of actions they should take to protect against different kind of threats.

NSO Group Pitched Phone Hacking Tech to American Police

A brochure and emails obtained by Motherboard show how Westbridge, the U.S. arm of NSO, wanted U.S. cops to buy a tool called Phantom. NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard. The news provides the strongest evidence yet of NSO's attempt to enter the U.S. market, and shows apparent appetite from U.S. police for such tools, with one law enforcement official describing the hacking technology as "awesome."