News – January 2020

January 31, 2020

The US Federal Bureau of Investigation (FBI) has launched an investigation into NSO Group based on suspicions that US residents and companies may have been compromised for intelligence-gathering purposes. According to the Reuters news agency, investigators began examining NSO in 2017 during an inquiry into whether US hackers had provided the code necessary for the company to ...

January 31, 2020

Damaged mobile phones are still filled with plenty of useful data, according to researchers at the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. NIST published the results of a recent study on forensic methods for getting data from mobile damaged mobile phones. It tested the tools that ...

January 31, 2020

Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using ...

January 31, 2020

Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. 2019-nCoV, which is believed to have originated in Wuhan, China, in the past month, has caused hundreds of deaths and thousands of confirmed cases in China alone. The virus has already spread to ...

January 31, 2020

The UK’s Her Majesty’s Revenue and Customs (HMRC) tax collection agency is asking for a blockchain analytics tool useful in the hunt for cybercriminals — and perhaps asset tax avoiders. In a project request posted last week, HMRC asked bidders to provide a tool that “will support intelligence-gathering methods to identify and cluster cryptoasset transactions into linked ...

January 30, 2020

Facebook has agreed to pay $550 million to Illinois users to settle a class action lawsuit filed over the use of its face-tagging technology to collect facial-recognition data on its social media platform. The company unveiled the settlement on a quarterly financial call Wednesday, in which it attributed the settlement to the company’s general and administrative costs, which ...

January 30, 2020

Cybercriminals were found selling over 30 million credit card records on the dark web, purportedly from a data breach suffered by a U.S.-based gas station and convenience store chain last year. The sale of the data collection, advertised under the name BIGBADABOOM-III on the dark marketplace Joker’s Stash, comes in the wake of the company’s data security incident ...

January 29, 2020

Google paid out $6.5 million in bug-bounty rewards in 2019, which doubles the internet behemoth’s previous annual top total. It has also highlighted additional bonuses that are now in effect for Chrome and Android. Last year saw some notable changes for Google’s Vulnerability Reward Programs (VRPs), including the launch of the Developer Data Protection Reward Program aimed at ...

January 29, 2020

Between September and December 2019, Unit 42 researchers periodically scanned and collected metadata from Docker hosts exposed to the internet (largely due to inadvertent user errors) and this research reveals some of the tactics and techniques used by attackers in the compromised Docker engines. In total, 1,400 unsecured Docker hosts, 8,673 active containers, and 17,927 ...

January 29, 2020

To paraphrase Mark Twain, reports of ransomware’s death have been greatly exaggerated. Ransomware attacks resumed with a vengeance last year, despite conjecture by some researchers that CPU mining would overtake ransomware as a leading threat vector. Instead, the ransomware threat is stronger than ever, impacting more than 750 healthcare providers and racking up recovery costs approaching $4 billion. Some healthcare ...

January 28, 2020

When a legacy protocol is connected via Ethernet, and subsequently to the internet, security issues arise. Standard Commands for Programmable Instruments (SCPI) is a legacy protocol that many advanced measurement instruments support. It can be issued via General Purpose Interface Bus (GPIB), Universal Asynchronous Receiver/Transmitter (UART), Universal Serial Bus (USB), or Ethernet. However, it is ...

January 28, 2020

Browser security takes a hit as Google and Mozilla discontinue a large number of browser extensions and add-ons due to malicious activity. The Google security team has temporarily disallowed the publishing or updating of paid extensions that use the Chrome Web Store payments. This is due to an influx of fraudulent transactions performed via the said extensions. The suspension ...

January 27, 2020

During the analysis of the xHunt campaign activities, we identified a Kuwaiti organization’s webpage used as an apparent watering hole. The webpage contained a hidden image which was observed between June and December 2019, and referenced domains associated with malicious activity conducted by the xHunt campaign operators. We believe that the same threat actors involved in ...

January 24, 2020

A honeypot set up to observe the current security landscape in smart manufacturing systems observed numerous threats—including cryptomining malware and ransomware—in just a few months, highlighting the new threats that industrial control systems (ICS) face with increased exposure to the internet. While in the past ICS networks were traditionally proprietary and closed systems, the advent of ...

January 24, 2020

There has been a dramatic shift in the platforms targeted by attackers over the past few years. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. Increasing use of Microsoft Office as a ...

January 24, 2020

Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple ...

January 23, 2020

A U.S. government agency was targeted with spear phishing emails harboring several malware strains – including a never-before-seen malware downloader that researchers call “Carrotball.” The campaign, which researchers observed occurring from July to October and code-named “Fractured Statue,” involved six unique malicious document lures being sent as attachments from four different Russian email addresses to 10 ...

January 23, 2020

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into ...

January 23, 2020

Over the course of the last year, Recorded Future research has demonstrated that Iran-nexus groups, possibly including APT33 (also called Elfin), have been prolific in amassing operational network infrastructure throughout 2019. Additionally, in November 2019, Microsoft disclosed that APT33 had shifted focus from targeting IT networks to physical control systems used in electric utilities, manufacturing, and oil refineries. We ...

January 23, 2020

Microsoft has revealed a misconfigured security command was the culprit behind a leak of one of Microsoft’s internal customer support databases that exposed some 250 million customer records. “Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data,” explained the Microsoft Security ...