Cybersecurity Newsletter - 09/30/2020
Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
The Threat Hunter Team at Symantec has uncovered a new espionage campaign carried out by the Palmerworm group, also known as BlackTech, involving a brand new suite of custom malware, targeting organizations in Japan, Taiwan, the U.S., and China in several sectors, from media and construction to electronic or finance. This group uses a combination of custom malware, dual use tools and living-off-the-land tactics in this campaign that started back in August 2019. As in previous attacks, Palmerworm operatives are using stolen code-signing certificates to digitally sign malicious payloads to evade enterprise malware detection mechanisms. Symantec team does no attribute Palmerworm’s activity to any specific geography, however, Taiwanese officials have stated publicly that they believe the group they call BlackTech, to be backed by the Chinese government.
Swatch shuts down computer systems to stop a cyber attack
Swatch Group confirms that it has identified clear signs of a developing cyber attack on some of its computer systems over the weekend. For security reasons, the Group took immediate action and precautionary closure of some of its computer systems, which affected some operations. The Swatch Group immediately assessed and analysed the nature of the attack, took appropriate action and implemented the necessary corrections. The situation will return to normal as soon as possible. The Group will, of course, be filing a criminal complaint against X," Swatch told BleepingComputer in a statement. The Swatch Group did not want to give further details about the type of attack they suffered, but it was likely to be a ransomware attack.
Fake software crack sites used to push Exorcist 2.0 ransomware
The threat actors behind the Exorcist 2.0 ransomware are using malicious advertising to redirect targets to fake software crack sites that distribute their malware. According to security researchers, PopCash malvertising is redirecting users from legitimate sites to a fake software crack site. This crack site, pretends to offer download links for the programs that break copyright protection on commercial software so that it can be used for free. When visiting the Excorcist Tor payment site, targets can get free decryption of one file, a way to chat with the threat actors, and the ransom amount that they need to pay. From Excorcist ransom notes seen by researchers from BleepingComputer, they have seen ransom demands as low as 250 dollars to as higher 10,000 dollars.
Over 247K Exchange servers un-patched for actively exploited vulnerability
More than 247,000 Microsoft Exchange servers are to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support. The CVE-2020-0688 RCE vulnerability exists in the Exchange Control Panel (ECP) component — enabled in default configurations — and it enables potential attackers to remotely take over vulnerable Exchange servers using any valid email credentials. Microsoft addressed the security issue as part of the February 2020 Patch and tagged it with an "Exploitation More Likely" exploitability index assessment, suggesting that the vulnerability is an attractive target for attackers. Cyber-security firm Rapid7, added an MS Exchange RCE module to the Metasploit penetration testing framework it develops on March 4th, after several proof-of-concept exploits surfaced on GitHub.
Personal data leakage at Louis Vuitton
Louis Vuitton has patched a security vulnerability on its website that allowed user accounts to be listed and even allowed accounts to be purchased by resetting passwords. The easily exploitable vulnerability resided in the MyLV account section of the website. The researcher reports the vulnerability, gets a vague response Having discovered the vulnerability, security researcher Sabri Haddouche contacted Louis Vuitton as part of the responsible disclosure process. The researcher stated that the vulnerability is surprisingly easy to exploit and he had found it by accident when clicking on one of the links in Louis Vuitton's email.
WhatsApp can be forced to decrypt WhatsApp Google Drive backups by state surveillance
According to a Reddit post, the backup of WhatsApp chats stored in Google Drive or iCloud can be a door to access the messages despite the end-to-end encryption the app offers to its users. The messages in these backups are saved in plain text, but the way to access them is not via a unique password for each time the user wants to access, but rather the same keys being reused for all users. The theory about why the way the most used massaging app does not have stronger security is usually based on the same thing, that it would be an accessible back door for secret services and governments from where they could read messages and conversations of suspects. In this way, access to these messages could be ordered from a judicial instance, regardless of the country.
Dishonest Shopify employees accessed customer information without authorization
Recently, Shopify learned of an incident involving the data of less than 200 merchants. We immediately initiated an investigation to identify the problem and the impact, so that we can take action and notify the affected merchants," says the Shopify announcement. According to the investigation two rogue members of our support team were involved in a scheme to obtain the transaction records of certain merchants. The data accessed by the two rogue employees without authorization included name, email address, physical address, and order details (e.g. products and services purchased). The company confirmed that the financial information had not been affected.
Vulnerabilities affecting the chipsets of wireless routers from Qualcomm, Mediatek, and Realtek
CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991 refer to a partial authentication bypass vulnerability affecting multiple products from these manufacturers. The Synopsys Cybersecurity Research Center notes it was unable to create a comprehensive list of vulnerable devices and chipsets, and vulnerable chipsets may be embedded into additional products. This would enable an attacker to inject packets into a WPA2-protected network without any knowledge of the preshared key. These packets would be routed through the network as valid packets are, researchers explain, and responses to the injected packets will return encrypted. Because an attacker could control what is sent through the network, they could determine if an injected packed infected an active system. In response to the vulnerability, MediaTek and Realtek say patches will be made available upon request. Qualcomm says the identified chipsets have all reached end of life and have been discontinued; this issue does not affect currently supported chipsets, the company says.