OSINT News - November 30, by Bart Otten

by in Security

Investigation with a twist: an accidental APT attack and averted data destruction

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/ 

COEST_0-1606736012568.png

 

Investigation with a twist: an accidental APT attack and averted data destruction

In late April 2020, a client invited the CSIRT incident response team at the Positive Technologies Expert Security Center (PT ESC) to investigate a network compromise that resulted in encryption of files on servers and employee workstations. We initially assumed that this was yet another attack on ...

www.ptsecurity.com

 

---

A hacker is selling access to the email accounts of hundreds of C-level executives

https://www.zdnet.com/article/a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives/ 

 

---

FBI issued an alert on Ragnar Locker ransomware activity

https://securityaffairs.co/wordpress/111286/malware/ragnar-locker-ransomware-fbi-alert.html 

FBI issued an alert on Ragnar Locker ransomware activity--Security Affairs

The U.S. Federal Bureau of Investigation (FBI) issued a flash alert (MU-000140-MW) to warn private industry partners of an increase of the Ragnar Locker ransomware activity following a confirmed attack from April […]

securityaffairs.co

 

---

Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware

https://securityaffairs.co/wordpress/111321/malware/cursedgrabber-malware-campaign.html 

COEST_1-1606736012580.png

 

CursedGrabber: Massive threat campaign strikes open-source repos--Security Affairs

Sonatype’s deep dive research allowed to identify a new family of Discord malware called CursedGrabber.

 

Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware campaign leveraging the open-source ecosystem. The malware called “xpc.js” […]

securityaffairs.co

 

---

TikTok fixed security issues that could have led one-click account takeover

https://securityaffairs.co/wordpress/111336/hacking/tiktok-domains-security-flaws.html 

COEST_2-1606736012589.jpeg

 

TikTok fixed security issues that could have led one-click account takeover--Security Affairs

TikTok has addressed a couple of security issues that could have been chained to led account takeover. The first issue addressed by the social media platform is a reflected XSS security flaw that has been reported by the bug bounty hunter Muhammed “milly” Taskiran via the bug bounty platform HackerOne. The Cross-Site-Scripting flaw affected the company […]

securityaffairs.co

 

---

Romanians arrested for running underground malware services

https://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html 

COEST_3-1606736012603.png

 

Romanians arrested for running underground malware services--Security Affairs

The arrests are the result of a joint operation conducted with the support of the FBI, Europol, Australian, and Norwegian police. “Two Romanian suspects have been arrested yesterday for allegedly running the CyberSeal and Dataprotector crypting services to evade antivirus software detection.” reads the press release published by the Europol. “These services have been purchased by more ...

securityaffairs.co

 

---

Researchers show how to steal a Tesla Model X in a few minutes

https://securityaffairs.co/wordpress/111340/hacking/researchers-show-how-to-steal-a-tesla-model-x-in-a-few-minutes.html 

Researchers show how to steal a Tesla Model X in a few minutes--Security Affairs

A team of researchers from the Computer Security and Industrial Cryptography (COSIC) group at the KU Leuven University in Belgium has demonstrated how to steal a Tesla Model X in minutes by exploiting vulnerabilities in the car’s keyless entry system.

securityaffairs.co

 

---

TrickBot operators continue to update their malware to increase resilience to takedown

https://securityaffairs.co/wordpress/111381/cyber-crime/trickbot-evolution.html 

TrickBot operators continue to update their malware--Security Affairs

Following the recent takedown, the TrickBot operators have implemented various improvements to make it more resilient.

 

In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet ...

securityaffairs.co

 

---

SSH-backdoor Botnet With ‘Research’ Infection Technique

https://securityaffairs.co/wordpress/111477/malware/ssh-backdoor-botnet.html 

COEST_4-1606736012607.jpeg

 

SSH-backdoor Botnet With ‘Research’ Infection Technique--Security Affairs

In a recent tweet, the malware researcher @0xrb shared a list containing URLs of recently captured IoT botnet samples. Among the links, there was an uncommon example, a URL behind a Discord CDN, which as pointed by the IoT malware researcher @_lubiedo, may be ...

securityaffairs.co

 

---

A new Stantinko Bot masqueraded as httpd targeting Linux servers

https://securityaffairs.co/wordpress/111393/malware/stantinkos-linux-variant.html 

COEST_5-1606736012613.png

 

A new Stantinko Bot masqueraded as httpd targeting Linux servers--Security Affairs

Researchers from Intezer have spotted a new variant of an adware and coin-miner botnet that is operated by Stantinko threat actors since 2012. The Stantinko botnet was first spotted by ESET in 2017, at the […]

securityaffairs.co

 

---

A zero-day in Windows 7 and Windows Server 2008 has yet to be fixed

https://securityaffairs.co/wordpress/111485/hacking/windows-7-server-2008-0day.html 

A zero-day in Windows 7 and Windows Server 2008 has yet to be fixed--Security Affairs

The researcher was developing his own Windows privilege escalation enumeration script, named PrivescCheck, which is a sort of updated and extended version of the famous PowerUp. “If you have ever run this script on Windows 7 or Windows Server 2008 R2, you probably noticed a weird recurring result and perhaps thought that it was a false positive just as I did.

securityaffairs.co

 

---

Watch out, WAPDropper malware could subscribe you to premium services

https://securityaffairs.co/wordpress/111442/malware/wapdropper-malware.html 

Watch out, WAPDropper malware could subscribe you to premium services--Security Affairs

Security researchers from Check Point have spotted a new malware family dubbed WAPDropper that targets mobile phone users to subscribe them to legitimate premium-rate services. Check Point experts observed the WAPDropper subscribing unaware users to premium services from ...

securityaffairs.co

 

---

Carding Action 2020: Group-IB supports Europol-backed operation saving €40 million

https://securityaffairs.co/wordpress/111503/cyber-crime/carding-action-2020-europol.html 

COEST_6-1606736012617.png

 

Carding Action 2020: Group-IB supports Europol-backed operation saving €40 million--Security Affairs

Carding Action 2020 targeted crooks selling/purchasing compromised card data on sites selling stolen cred itcard data and darkweb marketplaces Group-IB, a global threat hunting and intelligence company, has supported Carding Action 2020 – a cross-border operation led by Europol’s European Cyber Crime Centre (EC3) with the support from law enforcement agencies including The Dedicated Card ...

securityaffairs.co

 

---

Operation Falcon: Group-IB helps INTERPOL identify Nigerian BEC ring members

https://securityaffairs.co/wordpress/111459/cyber-crime/tmt-operation-falcon.html 

Operation Falcon: Group-IB helps INTERPOL identify Nigerian BEC ring members--Security Affairs

Group-IB, a global threat hunting and intelligence company, supported an INTERPOL-led operation Falcon targeting business email compromise (BEC) cybercrime gang from Nigeria, dubbed TMT by Group-IB. A cross-border anti-cybercrime effort that involved INTERPOL’s ...

securityaffairs.co

 

---

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/ 

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services — Krebs on Security

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the ...

krebsonsecurity.com

 

---

The smart video doorbells letting hackers into your home

https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/ 

COEST_7-1606736012732.jpeg

 

The smart video doorbells letting hackers into your home – Which? News

11 smart doorbells purchased from online marketplaces have failed Which? security tests, in the latest example of smart products that could pose a risk to you and your home. Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing ...

www.which.co.uk

 

---

AG Healey Secures $525,000 in Settlement With Home Depot Over Data Breach

https://www.mass.gov/news/ag-healey-secures-525000-in-settlement-with-home-depot-over-data-breach 

AG Healey Secures $525,000 in Settlement With Home Depot Over Data Breach | Mass.gov

Massachusetts Attorney General Maura Healey today announced that her office secured $525,000 in a settlement with The Home Depot, Inc. resolving a multistate investigation of a 2014 data breach that exposed the payment card information of approximately 40

www.mass.gov

 

---

Sophos notifies data leak after a misconfiguration

https://securityaffairs.co/wordpress/111495/data-breach/sophos-data-leak.html 

Sophos notifies data leak after a misconfiguration ......Security Affairs

ZDNet reported that the cyber-security firm Sophos is notifying customers via email about a security breach, the company became aware ot the incident on November 24. “On November 24, 2020, Sophos was advised of an access […]

securityaffairs.co

 

---

Belden discloses data breach as a result of a cyber attack

https://securityaffairs.co/wordpress/111468/data-breach/belden-discloses-data-breach.html 

Belden discloses data breach as a result of a cyber attack--Security Affairs

“Belden was the target of a sophisticated attack by a party outside the company that accessed servers that contained personal information of some current and former Belden employees, as well as limited company information regarding some of our business partners.” reads a statement published by the company.

securityaffairs.co

 

---

Securing the fight against COVID-19 through open source

https://securitylab.github.com/research/securing-the-fight-against-covid19-through-oss 

COEST_8-1606736012866.png

 

Securing the fight against COVID-19 through open source - GitHub Security Lab

This blog describes a security vulnerability in the infrastructure that supports Germany’s COVID-19 contact tracing efforts. The mobile (Android/iOS) apps are not affected by the vulnerability and do not collect and/or transmit any personal data other than the device’s IP address. The infrastructure takes active measures to disassociate true positives from client IP addresses.

securitylab.github.com

 

---

Fake Zoom invite cripples Aussie hedge fund with $8m hit

https://www.afr.com/companies/financial-services/fake-zoom-invite-cripples-aussie-hedge-fund-with-8m-hit-20201122-p56f9c 

Fake Zoom invite cripples Aussie hedge fund with $8m hit

A Sydney hedge fund has collapsed after a cyber attack triggered by a fake Zoom invitation saw its trustee and administrator mistakenly approve $8.7 million in fraudulent invoices. The scam, the ...

www.afr.com

 

---

Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs

https://www.bleepingcomputer.com/news/security/hacker-posts-exploits-for-over-49-000-vulnerable-fortinet-vpns/ 

Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs

A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices. Present on the list of vulnerable targets are domains belonging to high street ...

www.bleepingcomputer.com

 

---

A week later, Manchester United has yet to recover after a cyberattack

https://securityaffairs.co/wordpress/111560/hacking/manchester-united-cyber-attack-2.html 

A week later, Manchester United has yet to recover after cyberattack--Security Affairs

Last week Manchester United was hit by a sophisticated cyber attack, the attack took place on Friday evening and the football club shut down its systems to prevent the malware from spreading within. […]

securityaffairs.co

 

---

Details of 16 million Brazilian COVID-19 patients exposed online

https://securityaffairs.co/wordpress/111534/data-breach/brazilian-covid-19-patients-leak.html 

Details of 16 million Brazilian COVID-19 patients exposed online--Security Affairs

Personal/health details of more than 16 million Brazilian COVID-19 patients, including Government representatives, has been exposed online

securityaffairs.co

 

---

Canon publicly confirms August ransomware attack and data breach

https://securityaffairs.co/wordpress/111523/malware/canon-confirms-ransomware-attack.html 

Canon publicly confirms August ransomware attack and data breach--Security Affairs

Canon has finally confirmed that it was the victim of a ransomware attack in early August and that the threat actors also stole data from its servers. In August, ZDNet first revealed […]

securityaffairs.co

 

---

Ransomware hits US Fertility the largest US fertility network

https://securityaffairs.co/wordpress/111513/data-breach/ransomware-hits-us-fertility.html 

Ransomware hits US Fertility the largest US fertility network--Security Affairs

The US Fertility (USF) network is comprised of 55 locations across 10 states that completed almost 25,000 IVF cycles in 2018 through its clinics with 130,000 babies have been born.

 

 “On September 14, 2020, USF experienced an IT security event [..] that involved the inaccessibility of certain computer systems on our network as a result of a malware infection,” reads the Notice of Data ...

securityaffairs.co

 

---

Danish news agency Ritzau hit by ransomware, but did not pay the ransom

https://securityaffairs.co/wordpress/111507/cyber-crime/ritzau-ransomware-attack.html 

Danish news agency Ritzau hit by ransomware, but did not pay the ransom--Security Affairs

 

 Ritzau, the biggest Danish news agency, was hit by a ransomware attack that brought it offline. The cyber attack hit a quarter of Ritzau ’s 100 servers that have been damaged. The agency […]

securityaffairs.co

 

---

Retail giant E-Land closes nearly half of stores due to ransomware attack

https://www.koreatimes.co.kr/www/tech/2020/11/694_299692.html 

Retail giant E-Land closes nearly half of stores due to ransomware attack

South Korean fashion and retail conglomerate E-Land Group said Sunday it has suspended operations at nearly half of its stores in the country due to a ransomware attack. The group said its ...

www.koreatimes.co.kr

 

 

Anonymous