PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time

Microsoft has warned on a new breed of patient ransomware attacks that lurk in networks for weeks before striking.

A Java-based ransomware known as PonyFinal has galloped onto the scene, targeting enterprise systems management servers as an initial infection vector.

According to a warning on Twitter from Microsoft Security Intelligence on Wednesday, PonyFinal is not an automated threat, but rather has humans pulling the reins. It exfiltrates information about infected environments, spreads laterally and then waits before striking — the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.

Encryption is carried out by appending files with a “.enc” file name extension; the ransom note meanwhile is a simple text file, researchers said.

Read more.

German Government Urges iOS Users to Patch Critical Mail App Flaws

According to ZecOps, there are two vulnerabilities that were firstly triggered in October 2010 and are still affecting all devices running iOS. Recently, a series of ongoing remote attacks were seen targeting iOS users using these two zero-click security vulnerabilities, affecting iPhone and iPad devices since at least January 2018.

Attacks abused the two bugs and targeted high-profile targets

The two vulnerabilities, a heap-based buffer-overflow issue (CVE-2020-9819) and an out-of-bounds write issue (CVE-2020-9818), could be triggered after the default mail application processes a maliciously crafted mail message.

• These vulnerabilities targeted individuals from a Fortune 500 organization in North America, an executive from a carrier in Japan, a VIP from Germany, MSSPs from Saudi Arabia and Israel, a Journalist in Europe, and also an executive from a Swiss enterprise.
• These remote attacks can allow an attacker to send a specially crafted malicious email to a victim’s mailbox, enabling it to trigger the vulnerability on iOS to compromise iPhone and iPad devices allowing them to gain access to, leak, modify, and delete emails.

Read more.

VivaVideo, “Spyware” App Maker, Contains Remote Access Trojan and Requests Dangerous App Permissions

A new report focuses on how VivaVideo, one of the biggest free video editing apps for Android, with at east 100 million installs on the Play store, is a Chinese "spyware" app. The app asks for a wide host of dangerous permissions, including the ability to read and write files to external drives, plus the user’s specific GPS location (which is definitely not needed for a video editing app), claims VPNpro. 

According to VPNpro, VivaVideo has a history of malware. In 2017, it was mentioned as one of 40 apps suspected of spyware in a country-wide advisory for all Indian military and paramilitary troops, with a recommendation to delete the apps immediately. The app in question is developed by QuVideo Inc., a Chinese company based in Hangzhou, which also creates SlidePlus (1M installs), with similarly unnecessary dangerous permissions, plus a paid version of VivaVideo. In addition, VPNpro found 5 total apps within its network.

Read more.

NSA: Sandworm Actors Exploiting Vulnerability in Exim Mail Transfer Agent

Russian cyber actors from the GRU Main Center for Special Technologies (GTsST), field post number 74455, have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019, warns a new National Security Agency (NSA) cybersecurity advisory. The cyber actors responsible for this malicious cyber program are known publicly as Sandworm team.

According to the NSA, Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.

When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.

Read more.

Hackers Compromise Cisco Servers Via SaltStack Flaws

Attackers compromised six Cisco VIRL-PE servers that are affected by critical SaltStack vulnerabilities.

Cisco said attackers have been able to compromise its servers after exploiting two known, critical SaltStack vulnerabilities. The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.

Two Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco’s network operating systems.

Hackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.

Read more.

ACLU Sues Clearview AI Over Faceprint Collection, Sale

Watchdog group said company has violated the Illinois BIPA and ‘will end privacy as we know it’ without intervention.

The American Civil Liberties Union (ACLU) has sued a New York-based startup for amassing a database of biometric face-identification data of billions of people and selling it to third parties without their consent or knowledge

The U.S. citizens’-rights watchdog organization has filed suit in the Circuit Court of Cook County in Illinois against Clearview AI, on behalf of a number of organizations comprised of vulnerable communities—such as survivors of sexual assault or domestic violence and undocumented immigrants—for violating the the Illinois Biometric Information Privacy Act (BIPA).

Read more.

NSA Warns of Sandworm Backdoor Attacks on Mail Servers

The Russian spy group, a.k.a. BlackEnergy, is actively compromising Exim mail servers via a critical security vulnerability.

The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet’s top email server software, according to the National Security Agency (NSA).

The bug exists in the Exim Mail Transfer Agent (MTA) software, an open-source offering used on Linux and Unix-like systems. It essentially receives, routes and delivers email messages from local users and remote hosts. Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet’s email servers, according to a survey last year.

Read more.

Evolving Tactics, Techniques, and Procedures in the Ransomware Landscape

Ransomware attacks have increased manifold over the years and so have the ransom demands. This year-over-year evolution of ransomware threats is primarily attributed to emerging tactics, techniques, and procedures adopted by attackers.

Most common intrusion point

According to a report from Group-IB, Remote Desktop Protocol (RDP) was the common point of intrusion for ransomware in 2019. Vulnerable Windows RDP ports were abused in 70-80% of all ransomware attacks in 2019 to gain an initial foothold.

Big-league players like Ryuk, LockerGoga, REvil, MegaCortex, Maze, and NetWalker used open RDP port to sneak into a company’s networks and servers.

Read more.

Turla Hacker Group Continues to Innovate and Stun Security Researchers

Turla, which is widely believed to be a Russian state-sponsored hacker group, is known for using innovative methods for developing and distributing malware for its espionage campaigns. Recently, it was observed using common technologies like Gmail and errors in HTTP protocols for controlling its malware.

Latest discoveries:

In May 2020, ESET researchers found that the Turla group members had deployed an updated version of the ComRAT malware, containing some pretty clever new features.

• The latest variant of the malware ComRAT v4 (which was first seen in 2017) includes two new features, including the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail web interface in order to bypass some security controls.
• Turla uses Gmail's web User Interface as one of the two command and control channels for the updated malware, the other being a legacy HTTP channel. It can also delete the entries from the logs created by anti-virus, to clean its tracks.
• Turla used ComRAT v4 to steal confidential documents, and they took advantage of public cloud services like 4shared and OneDrive to exfiltrate the stolen data during its attacks against governmental and military institutions in Eastern Europe and the Caucasus.

Read more.

Advocating Security Fundamentals During and After COVID-19

The COVID-19 health crisis almost instantly changed how the world works, bringing with it new security threats and challenges.

As organizations work to find the path forward and emerge stronger on the other side, it’s important to take stock of where we are and where we need to be.

Working Together While Apart

Read more.

Researchers Uncover Brazilian Hacktivist's Identity Who Defaced Over 4800 Sites

It's one thing for hackers to target websites and proudly announce it on social media platforms for all to see. It's, however, an entirely different thing to leave a digital trail that leads cybersecurity researchers right to their doorsteps.

That's exactly what happened in the case of a hacktivist under the name of VandaTheGod, who has been attributed to a series of attacks on government websites since July 2019.

Read more.

A New Free Monitoring Tool to Measure Your Dark Web Exposure

Last week, application security company ImmuniWeb released a new free tool to monitor and measure an organization's exposure on the Dark Web.

To improve the decision-making process for cybersecurity professionals, the free tool crawls Dark Web marketplaces, hacking forums, and Surface Web resources such as Pastebin or GitHub to provide you with a classified schema of your data being offered for sale or leaked.

All you need to launch a Dark Web search is to enter your domain name.

Read more.

New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data

Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail's web interface to covertly receive commands and exfiltrate sensitive data.

"ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020," cybersecurity firm ESET said in a report shared with The Hacker News. "We identified at least three targets: two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region."

Read more.

New Tool Can Jailbreak Any iPhone and iPad Using An Unpatched 0-Day Bug

The hacking team behind the "unc0ver" jailbreaking tool has released a new version of the software that can unlock every single iPhone, including those running the latest iOS 13.5 version.

Calling it the first zero-day jailbreak to be released since iOS 8, unc0ver's lead developer Pwn20wnd said "every other jailbreak released since iOS 9 used 1day exploits that were either patched in the next beta version or the hardware."

Read more.

How Cybersecurity Enables Government, Health, EduTech Cope With COVID-19

The advent of the Covid-19 pandemic and the impact on our society has resulted in many dramatic changes to how people are traveling, interacting with each other, and collaborating at work.




There are several trends taking place as a consequence of the outbreak, which has only continued to heighten the need for the tightest possible cybersecurity.

Read more

DNS traffic and DDoS events rise during pandemic

New research from DNS intelligence specialist Farsight Security, focusing on over 300 leading websites, finds that between March and April there has been an increase in DDoS events involving popular brand names.

It also reveals that DNS cache misses (which occur when the data fetched is not present in the cache) showed an increase of between four and seven times.

Read more