Table of Contents

  1. Privacy
    1. WhatsApp Phone Numbers Pop Up in Google Search Results
    2. IBM, Amazon Agree to Step Back From Face Recognition. Where Is Microsoft?
    3. uBlock Origin for Chrome now blocks port scans on most sites
    4. Researcher claims Pakistan Government’s #Covid19 tracing app leaks user’s private data
  2. Vulnerabilities
    1. Another Intel Speculative Execution Vulnerability
    2. New Windows 10 SMBv3 flaw can be used for data theft, RCE attacks
    3. Arm CPUs impacted by rare side-channel attack
    4. Multiple Vulnerabilities in TCExam
    5. GnuTLS: TLS 1.3 session resumption works without master key, allowing MITM
    6. CallStranger UPnP bug allows data theft, DDoS attacks, LAN scans
  3. Breaches
    1. Hackers breached A1 Telekom, Austria's largest ISP
    2. Honda investigates possible ransomware attack, networks impacted
    3. Babylon Health Data Breach Allowed Users To View Other Patients' Video Consultations
    4. Nintendo Confirms Additional 140,000 Accounts Compromised in April Data Breach
    5. Jenkins team avoids security disaster after partial user database loss
    6. US aerospace services provider breached by Maze Ransomware
    7. Viva Republica in hot water over alleged security breach
    8. Details of COVID-19 patients leaked in Tiruvarur, patient gets calls from strangers
    9. San Beda student portal hacked, personal data of thousands stolen
    10. Fears patient files at Hockley GP surgery hacked
    11. 12,400+ Indian Blood Donors Personal Information Leaked in the Darknet
    12. ZEE5 allegedly hacked by 'Korean hackers', customer info at risk
    13. CPLT announces breach of sensitive patient data in health industry
    14. Fitness Depot hit by data breach after ISP fails to ‘activate the antivirus’
    15. Castro Valley Health notifies patients after learning that patient data had been improperly transferred to Docker Hub
    16. Australian Beverage Manufacturer Shutdown IT Systems After Cyberattack
  4. Malware
    1. Gamaredon hackers use Outlook macros to spread malware to contacts
    2. Fake Black Lives Matter voting campaign spreads Trickbot malware
    3. Kingminer patches vulnerable servers to lock out competitors
    4. Valak malware gets new plugin to steal Outlook login credentials
    5. Malicious Android apps deactivated fraud code to bypass Google's security scans
    6. US energy providers hit with new malware in targeted attacks
    7. Search hijackers change Chrome policy to remote administration
  5. Politics
    1. Dark Basin: Uncovering a Massive Hack-For-Hire Operation
    2. Researchers say online voting tech used in 5 states is fatally flawed
    3. Slovak police seize wiretapping devices connected to government network
    4. The Cyber Threat Facing Pakistan
  6. Phishing
    1. Office 365 phishing baits business owners with relief payments
    2. Zoom Phish Zooming Through Inboxes Amid Pandemic
    3. Phishing Attack Hits German Coronavirus Task Force
    4. New Campaign Abusing StackBlitz Tool to Host Phishing Pages
    5. 100,000 company inboxes hit with voice message phishing
  7. Ransomware
    1. Thanos ransomware auto-spreads to Windows devices, evades security
    2. Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity
    3. New Avaddon Ransomware launches in massive smiley spam campaign
    4. Fake ransomware decryptor double-encrypts desperate victims' files
    5. Kupidon is the latest ransomware targeting your data
    6. REvil Ransomware Operators Targets Universal Logistics Holdings
  8. Misc
    1. Playing around with the Fuchsia operating system
    2. Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service
    3. Fake SpaceX YouTube channels scam viewers out of $150K in bitcoin

Privacy

WhatsApp Phone Numbers Pop Up in Google Search Results

A researcher found that phone numbers tied to WhatsApp accounts are indexed publicly on Google Search creating what he claims is a "privacy issue" for users. He is warning that a WhatsApp feature called "Click to Chat" puts users' mobile phone numbers at risk --- by allowing Google Search to index them for anyone to find. But WhatsApp owner Facebook says it is no big deal and that the search results only reveal what the users have chosen to make public anyway.

IBM, Amazon Agree to Step Back From Face Recognition. Where Is Microsoft?

This week two major vendors of face surveillance technology announced that in light of recent protests against police brutality and racial injustice, they would be phasing out or pausing their sale of this technology to police. The fact that these two companies, IBM and Amazon, have admitted the harm that this technology causes should be a red flag to lawmakers. The belief that police and other government use of this technology can be responsibly regulated is wrong. Congress, states, and cities should take this momentary reprieve, during which police will not be able to acquire face surveillance technology from two major companies, as an opportunity to ban government use of the technology once and for all. In a letter from Arvind Krishna to Congress, the IBM CEO announced that in the name of racial justice the company would end research, development, and sale of any face recognition technology:

uBlock Origin for Chrome now blocks port scans on most sites

A recent update to an ad block filter list now allows the uBlock Origin extension to block most of the known sites that perform port scans of your local Windows computer. A few weeks ago, it was reported that eBay is using fraud detection scripts that port scan a visitor's computer for Windows remote access programs.

Researcher claims Pakistan Government’s #Covid19 tracing app leaks user’s private data

French security researcher Baptiste Robert continues to educate the public about security concerns with COVID19 tracking and tracing apps. TheDigitalHacker has been reported that the app made by developers of the Pakistan government to track #covid19 uses a 3rd-grade security system that can leak personal data like passwords, personal information which are 1st level concerns for any privacy tracing apps.

Vulnerabilities

Another Intel Speculative Execution Vulnerability

Two separate academic teams disclosed two new and distinctive exploits that pierce Intel's Software Guard eXtension, by far the most sensitive region of the company's processors. The new SGX attacks are known as SGAxe and CrossTalk. Both break into the fortified CPU region using separate side-channel attacks, a class of hack that infers sensitive data by measuring timing differences, power consumption, electromagnetic radiation, sound, or other information from the systems that store it. The assumptions for both attacks are roughly the same. An attacker has already broken the security of the target machine through a software exploit or a malicious virtual machine that compromises the integrity of the system. While that's a tall bar, it's precisely the scenario that SGX is supposed to defend against.

New Windows 10 SMBv3 flaw can be used for data theft, RCE attacks

A new security vulnerability was found in the compression mechanism of the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol used by multiple versions of Windows 10 and Windows Server. The security flaw, tracked as CVE-2020-1206 and named SMBleed by security researchers at cybersecurity startup ZecOps who found it, was discovered in the same function behind SMBGhost, a pre-auth remote code execution (RCE) vulnerability tagged as "wormable" by Microsoft and patched in March. SMBleed is a client/server information disclosure bug that allows unauthenticated attackers to remotely read uninitialized kernel memory and to launch RCE attacks against unpatched Windows systems when chained together with SMBGhost.

Arm CPUs impacted by rare side-channel attack

Chipmaker Arm has issued guidance to software developers this week detailing mitigations against a new vulnerability discovered in its Armv8-A (Cortex-A) CPU architecture. Codenamed SLS (standing for Straight-Line Speculation), this bug is a classic side-channel speculative execution attack. Speculative execution refers to the concept of CPUs processing data in advance for speed and performance reasons and then discarding the computational branches they don't need. Side-channel attacks in speculative execution allow malicious threat actors to leak (steal) these temporary computations and see what the CPU might be working on.

Multiple Vulnerabilities in TCExam

Online learning has seen an increase in activity during the coronavirus pandemic. Multiple vulnerabilities were identified in TCExam, a popular online testing system that could have allowed a remote, unauthenticated attacker to gain administrative access to the e-exam system.

GnuTLS: TLS 1.3 session resumption works without master key, allowing MITM

GnuTLS servers are able to use tickets issued by each other without access to the secret key as generated by gnutls~sessionticketkeygenerate~(). This allows a MITM server without valid credentials to resume sessions with a client that first established an initial connection with a server with valid credentials. The issue applies to TLS 1.3, when using TLS 1.2 resumption fails as expected.

CallStranger UPnP bug allows data theft, DDoS attacks, LAN scans

A vulnerability in the Universal Plug and Play protocol implemented in billions of devices can be exploited to exfiltrate data, turn them into bots for distributed denial-of-service attacks (DDoS), and scan internal networks. The bug got the name CallStranger and it affects all devices that run a UPnP version earlier than April 17. Included are all versions of Windows 10, routers, access points, printers, gaming consoles, doorphones, media applications and devices, cameras, television sets. CallStranger is now identified as CVE-2020-12695 and can be leveraged remotely without authentication. It was discovered by cybersecurity researcher Yunus Çadirci and reported to the Open Connectivity Foundation (OCF) - the organization currently developing UPnP - on December 12, 2019.

Breaches

Hackers breached A1 Telekom, Austria's largest ISP

A1 Telekom, the largest internet service provider in Austria, has admitted to a security breach this week, following a whistleblower's exposé. The company admitted to suffering a malware infection in November 2019. A1 said its security team detected the malware a month later, but that removing the infection was more problematic than it initially anticipated. From December 2019 to May 2020, A1 said its security team had battled with the malware's operators in attempts to remove all of their hidden backdoor components and kick out the intruders.

Honda investigates possible ransomware attack, networks impacted

Computer networks in Europe and Japan from car manufacturer giant Honda have been affected by issues that are reportedly related to a SNAKE Ransomware cyber-attack. Details are unclear at the moment but the company is currently investigating the cause of the problems that were detected on Monday. Malwarebytes has analyzed this ransomware strain in a blog post.

Babylon Health Data Breach Allowed Users To View Other Patients' Video Consultations

Babylon Health has acknowledged that its GP video appointment app has suffered a data breach. The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients' consultations. A follow-up check by Babylon revealed a small number of further UK users could also see others' sessions. The firm said it had since fixed the issue and notified regulators.

Nintendo Confirms Additional 140,000 Accounts Compromised in April Data Breach

Nintendo released a new statement confirming that an additional 140,000 user accounts were exposed after the Nintendo Network ID (NNID) system was compromised in April 2020. Before confirmation of the security incident, the company received multiple reports from users reporting unauthorized logins to their accounts, and even fraudulent use of stored credit card data. In an initial statement on April 24, Nintendo acknowledged that around 160,000 accounts were affected by a security incident that led to the leak of personal identifiable information such as nicknames, date of birth, country, region, email address and gender.

Jenkins team avoids security disaster after partial user database loss

The developers of the Jenkins open source automation server said they've successfully recovered their backend infrastructure after a partial user database loss. The incident took place last week, on June 2, and resulted in an outage to the Jenkins Artifactory portal -- used by Jenkins plugin developers to upload and manage plugin artifacts. The Jenkins team said an error to a Kubernetes system forced them to rebuild parts of the Artifactory portal from scratch. During this rebuild process, the Jenkins team said they lost three months of changes to the LDAP database, including details about user accounts used by Jenkins plugin devs.

US aerospace services provider breached by Maze Ransomware

The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020. VT San Antonio Aerospace (VT SAA) is a leading North American aircraft MRO (maintenance, repair, and overhaul) service provider specialized in airframe maintenance repair and overhaul, line maintenance, aircraft modifications, and aircraft engineering services. The Maze Ransomware operators state in a new post on their data leak site that they breached the network of ST Engineering---actually that of VT SAA, one of the group's North American subsidiaries---stealing data and encrypting servers. During the attack, before deploying the ransomware payload to encrypt the company's servers, Maze claims to have stolen 1.5 TB worth of unencrypted files to be used as leverage to pressure the ST Engineering subsidiary into paying their ransom.

Viva Republica in hot water over alleged security breach

Viva Republica, which runs money transfer platform Toss, said it has found unauthorized payments made on its system, and is working to find the exact causes of the incident. According to the fintech firm, a total of eight unauthorized purchases, worth 9.4 million won ($7,853) were made on June 3 at three online websites via Toss without permission of the account owners. Personal data, such as names, phone numbers, birth dates, and PIN numbers, have been utilized in the alleged hacking theft. The fintech firm claimed, however, it is "highly unlikely," that the data was leaked via the Toss platform since they are not stored in its servers.

Details of COVID-19 patients leaked in Tiruvarur, patient gets calls from strangers

In a shocking instance of breach of privacy, names, addresses and contact numbers of at least two COVID-19 patients who are currently being treated at the Thiruvarur Medical College and Hospital were circulated on social media apps. One of the patients has been receiving calls from strangers inquiring about his well-being, this breach of privacy has also led to his family being discriminated against by their neighbours. Abdul*, a 30-year-old man, had travelled from Chennai to his native place in Thiruvarur district on June 2 when he was stopped at the checkpost and asked to undergo RT-PCR test for COVID-19. "We were first taken to the Central University of Tamil Nadu (CUTN) in Thiruvarur to stay till our test results. Our results came back positive on June 3, and then we were shifted to the Government Hospital in Thiruvarur," Abdul told TNM. However, it was from June 6, Saturday, that he started getting random missed calls on his phone number. "I initially didn't mind the missed calls, but after 5-6 calls, I picked up some calls, and asked them who they were and they didn't tell me. They told me that they saw my number on local WhatsApp groups and called to check on me," he added.

San Beda student portal hacked, personal data of thousands stolen

A still unidentified hacker has infiltrated the online student portal of San Beda University (SBU), gaining access to personal information and social media passwords of thousands of students and apparently releasing them online. "We discovered an incident where your email address and password, as used in the student portal was accessed by an unknown entity, purporting to be a hacker, and illegally released the same publicly via social media platform Twitter," SBU said in a statement to its community on Saturday, June 6. In what seems to be related news, Cebu Daily News reports: The University of the Philippines Cebu (UP Cebu) assured its students and alumni that no sensitive and personal information was leaked after hackers reportedly broke into its evaluation system. UP Cebu Chancellor Liza Corro also clarified that the university's student database system, called Student Academic Information System (SAIS), was not breached.

Fears patient files at Hockley GP surgery hacked

Thousands of alerts have been sent to patients at a leading GPs' practice amid fears their medical records have been hacked. Staff at Hockley Medical Practice, based in the Jewellery Quarter, have acted swiftly after being made aware of the possible cyberattack. The surgery has 8,839 patients. A text message has been sent to all adults on its books. An NHS spokesperson said there was no indication any other surgery has been affected. She stressed it has not yet been established if a hacker had siphoned sensitive data, but the situation is being taken extremely seriously.

12,400+ Indian Blood Donors Personal Information Leaked in the Darknet

CybleInc has identified a credible actor in one of the darkweb markets who was selling the database of Indian Blood Donors comprising 12,400+ users' records.

ZEE5 allegedly hacked by 'Korean hackers', customer info at risk

A hacker identifying themselves as "John Wick" and "Korean Hackers" claim to have breached the systems for Indian video on demand giant ZEE5 and are threatening to sell the database on criminal markets. ZEE5 is an Indian streaming service with over 150 million subscribers worldwide and is part of the Essel Group conglomerate, the same company that owns ZEE news media outlets and TV channels.

CPLT announces breach of sensitive patient data in health industry

The Chilean Transparency Council ('CPLT') announced, on 1 June 2020, that following an audit of 12,000 purchase orders made by 86 organisations in the health sector, the CPLT found that 12 purchase orders by hospitals and six by health services were made which revealed the sensitive personal data of patients.

Fitness Depot hit by data breach after ISP fails to ‘activate the antivirus’

Canadian retailer Fitness Depot announced customers that their personal and financial information was stolen following a breach that affected the company's e-commerce platform last month. Fitness Depot is the largest specialty exercise equipment retailer in Canada, with 40 stores nationwide and two in the United States, Texas, in Dallas and Houston.

Castro Valley Health notifies patients after learning that patient data had been improperly transferred to Docker Hub

Castro Valley Health, Inc. has become aware of a data security incident that may have involved some personal information of former patients. Castro Valley Health is sending notifications to the potentially involved individuals to notify them of this incident and provide resources to assist them. The incident occurred when certain information about Castro Valley Health patients inadvertently was transferred during 2016-2017 to a third-party website called Docker Hub. Castro Valley Health first became aware of this incident on April 21, 2020, and promptly removed the information from the Docker Hub site. The transferred information was heavily coded and therefore not readable without significant decoding.

Australian Beverage Manufacturer Shutdown IT Systems After Cyberattack

A cyberattack forced Australian beverage manufacturer Lion to shut down its IT system, interrupting manufacturing and orders, the company disclosed on June 9. "We immediately shut down all our systems as a precaution, and we have continued to work with cyber experts to determine how much longer our systems will be impacted," the company said. While there is no evidence of a data breach, the company is still investigating the incident that halted its brewery output across the country. To continue serving customers and partners, Lion adopted manual systems to receive and process orders.

Malware

Gamaredon hackers use Outlook macros to spread malware to contacts

New tools attributed to the Russia-linked Gamaredon hacker group include a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim's contacts. The threat actor disables protections for running macro scripts in Outlook and to plant the source file for the spearphishing attacks that spread malware to other victims. Gamaredon has been in the cyber espionage game since at least 2013, targeting national security institutions in Ukraine for political and military gain. It became more active since December 2019. According to ESET, Gamaredon has multiple variants for CodeBuilder, the module for injecting malicious macros or remote templates in documents available on the infected host.

Fake Black Lives Matter voting campaign spreads Trickbot malware

A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware. Started as a banking Trojan, the TrickBot has evolved to perform a variety of malicious behavior. This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more.

Kingminer patches vulnerable servers to lock out competitors

Operators of the cryptojacking botnet Kingminer botnet are trying to keep their business humming by applying hotfixes from Microsoft on vulnerable infected computers to lock out other threat actors that may claim a piece of their pie. Kingminer has been around for about two years and continues to brute-force its way on SQL servers to install the XMRig cryptocurrency miner for Monero. In their latest campaigns, the botnet operators started to use the EternalBlue exploit and shutting the door on remote access to their compromised systems, shows a new report from researchers at Sophos cybersecurity company.

Valak malware gets new plugin to steal Outlook login credentials

Authors of Valak information stealer are focusing more and more on stealing email credentials as researchers find a new module specifically built for this purpose. Valak has been developed at an accelerated rate, with more than 30 variants being identified in six months. It started as a malware loader that later evolved to an information stealer focusing on enterprise targets. It can infiltrate Microsoft Exchange servers to steal data from the mail system such as credentials and domain certificates that would allow access to an inside domain user. In a technical analysis, researchers at cybersecurity company SentinelOne provide details about a new plugin called "clientgrabber," whose task is to steal email credentials from the registry of a compromised machine.

Malicious Android apps deactivated fraud code to bypass Google's security scans

Google has recently removed a suite of malicious Android applications from the official Play Store that were caught showing out-of-context ads and intrusive browser redirects on Android smartphones. Bot mitigation company White Ops, which discovered and reported the malicious apps to Google's security team, said the apps were developed by the same criminal group. Researchers said the group created at least 38 Android apps geared towards bombarding users with ads, but that recent applications had been modified to disable the malicious adware functions inside the source code, most likely to avoid Google's Play Store security scans during the app submission and approval process.

US energy providers hit with new malware in targeted attacks

U.S. energy providers were targeted by spear-phishing campaigns delivering a new remote access Trojan (RAT) capable of providing attackers with full control over infected systems. The attacks took place between July and November 2019, and the threat actor behind it --- tracked as TA410 by Proofpoint researchers who spotted the campaigns --- used portable executable (PE) attachments and malicious macro laden Microsoft Word document to deliver the malicious payload. The malware dubbed FlowCloud is a full-fledged RAT that gives the TA410 operators total control over compromised devices, as well as the capability to harvest and exfiltrate information to attacker-controlled servers.

Search hijackers change Chrome policy to remote administration

The latest type of installer in the saga of search hijacking changes a Chrome policy which tells users it can't be removed because the browser is managed from the outside. As you can imagine, that has freaked out quite a few Chrome users. One search hijacker doesn't generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible. It also should not come as a surprise that ethics are no priority for many of them. As long as they can rake in their redirect fees, they couldn't care less about your inconvenience of being stuck with a default search provider that you would not have picked yourself.

Politics

Dark Basin: Uncovering a Massive Hack-For-Hire Operation

CitizenLab has uncovered a hack-for-hire campaign named Dark Basin, with origins in India. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.

Researchers say online voting tech used in 5 states is fatally flawed

OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states---West Virginia, Delaware, and New Jersey---have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT's Michael Specter and the University of Michigan's Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity.

Slovak police seize wiretapping devices connected to government network

Slovak authorities have arrested four suspects on Tuesday as part of an investigation into a series of suspicious devices found connected to the government's official IT network. According to local news site Aktuality, the equipment is believed to have been used for wiretapping purposes and would have allowed threat actors to intercept both internet and telephony operations. The devices, believed to be some type of servers, were connected to GOVNET, a network that interconnects different Slovak government agencies.

The Cyber Threat Facing Pakistan

In 2019, the mobile phones of some senior Pakistani officials were hacked for covert surveillance. The hacking was done via WhatsApp using a special type of malware called "Pegasus," allegedly developed by Israeli spyware company the NSO Group. The malware could infiltrate a phone by making a missed call on the targeted WhatsApp number and turn on the phone's camera and microphone as well as gain access to messages, emails, contacts, and passwords. The malware also has the capability of determining GPS location. After the hacking incident, reports suggested that the Pakistani government was working on developing an alternative to the WhatsApp application for protecting sensitive or classified information. It still remains unknown who had targeted the Pakistani officials. However, concerns were exacerbated after reports emerged that Indian intelligence agencies were using the same Israeli spyware to carry out surveillance of Indian lawyers, opposition political leaders, human rights activists, and members of civil society.

Phishing

Office 365 phishing baits business owners with relief payments

Business owners with Microsoft Office 365 accounts are targeted in a phishing campaign that uses bait emails designed to look like legitimate Small Business Grants Fund (SGF) relief payment messages from the UK government. These highly targeted phishing attacks have so far delivered emails that, according to numbers from security researchers at email security company Abnormal Security, have landed in the mailboxes of up to 5,000 potential victims. The scammers behind this phishing campaign have found the perfect time to use this tactic since governments all over the globe are currently doing their best to give a helping hand to businesses and citizens dealing with financial issues caused by the COVID-19 pandemic.

Zoom Phish Zooming Through Inboxes Amid Pandemic

Phishing Attack Hits German Coronavirus Task Force

Researchers are warning of an ongoing phishing attack that's targeting the credentials of more than 100 high-profile executives at a German multinational corporation that's tasked with procuring coronavirus medical gear for Germany. During the course of ongoing research on coronavirus-related cyber activity, IBM X-Force Incident Response and Intelligence Services uncovered a COVID-19 related phishing campaign targeting a German multinational corporation, associated with a German government-private sector task force to procure personal protective equipment (Task Force Schutzausrüstung). The group has been commissioned to use their international contacts and expertise to obtain personal protective equipment such as face masks and medical gear, particularly from China-based supply and purchasing chains.

New Campaign Abusing StackBlitz Tool to Host Phishing Pages

There are numerous tools available to help individuals create new, exciting web pages. Recently, the Zscaler ThreatLabz Team came across various phishing campaigns that leverage the StackBlitz tool, using the preboot library functionality that helps ease the transition of the hosted web page immediately from the server side to the client side. StackBlitz is an online integrated development environment (IDE) where anyone can create Angular JavaScript and React TypeScript projects that are immediately posted online. Attackers have targeted this method to host phishing pages. The purpose of the preboot library function is to help manage the transition of state from a server-generated web view to a client-generated web view.

100,000 company inboxes hit with voice message phishing

Attackers have been pounding employee inboxes at companies that still use private branch eXchange (PBX) telephone systems for communication, delivering phishing that bypasses email defenses. The messages pretended to be voicemail notifications from PBX integrations and featured custom subject lines to pass a superficial legitimacy test.

Ransomware

Thanos ransomware auto-spreads to Windows devices, evades security

The Thanos ransomware is the first to use a researcher-disclosed RIPlace anti-ransomware evasion technique as well as numerous other advanced features that make it a serious threat to keep an eye on. Thanos first began private distribution at the end of October 2019, but it was not until January 2020 when victims seeking help for what was called then the Quimera Ransomware. In a new report by Recorded Future, we learn that this ransomware is named Thanos and is being promoted as a Ransomware-as-a-Service on Russian-speaking hacker forums since February.

Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity

In late May, KrebsOnSecurity alerted numerous officials in Florence, Ala. that their information technology systems had been infiltrated by hackers who specialize in deploying ransomware. Nevertheless, on Friday, June 5, the intruders sprang their attack, deploying ransomware and demanding nearly $300,000 worth of bitcoin. City officials now say they plan to pay the ransom demand, in hopes of keeping the personal data of their citizens off of the Internet.

New Avaddon Ransomware launches in massive smiley spam campaign

With a wink and a smile, the new Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide. Avaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible.

Fake ransomware decryptor double-encrypts desperate victims' files

A fake decryptor for the STOP Djvu Ransomware is being distributed that lures already desperate people with the promise of free decryption. Instead of getting their files back for free, they are infected with another ransomware that makes their situation even worse. While ransomware operations such as Maze, REvil, Netwalker, and DoppelPaymer get wide media attention due to their high worth victims, another ransomware called STOP Djvu is infecting more people than all of them combined on a daily basis.

Kupidon is the latest ransomware targeting your data

The latest ransomware that everyone needs to watch out for is called Kupidon, and it targets not only corporate networks, but also home user's personal data. This ransomware is targeting both personal users and businesses, most likely through exposed remote desktop servers. Once the threat actors gain access, they manually encrypt the files on the victim's computers. When encrypting data, it will append the .kupidon extension to the file's name.

REvil Ransomware Operators Targets Universal Logistics Holdings

The REvil ransomware operators add another breach to their list. In this instance, they struck Universal Logistics Inc and downloaded their sensitive and highly confidential documents from the company's database. As per now, the ransomware operators have posted a sample of files and data of the company being downloaded by them. As per the Cyble Research Team, this small data leak from the large lot (around 500 GB) seems to be a warning for the company to accept the terms of the ransomware operators. Unfortunately, if the terms are not being accepted by the Universal Logistics Inc, then the REvil ransomware operators seem to leak a large lot of sensitive data of the company.

Misc

Playing around with the Fuchsia operating system

Fuchsia is a new operating system developed by Google, targeting the AArch64 and x86~64~ architectures. While little is known about the purpose of this OS and where it will be used, it seems plausible that it aims at replacing Android on smartphones and Chrome OS on laptops. In the interest of acquiring knowledge on an OS that could possibly run on millions of devices in the future, Quarkslab has decided to give a quick look at Fuchsia, learn about its inner design, security properties, strengths and weaknesses, and find ways to attack it.

Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service

The co-owners of vDOS, a now-defunct service that for four years helped to pay customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court.

Fake SpaceX YouTube channels scam viewers out of $150K in bitcoin

Scammers have hijacked three YouTube channels to display bitcoin scams impersonating Elon Musk's SpaceX channel. So far, these scams have raked in close to $150,000 in bitcoins in two days. For years, scammers have been impersonating Elon Musk and SpaceX to perform cryptocurrency giveaways and other scams promising you significant returns if you send them a little bitcoin.