News – May 2020


  • Critical Cisco Bug in Unified CCX Allows Remote Code Execution

    May 21, 2020

    Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express (CCX). Cisco’s Unified CCX software is touted as a “contact center in a box” that allows companies to deploy customer-care applications. The flaw (CVE-2020-3280), which has a CVSS score of 9.8 out ...

  • NetWalker Ransomware Gang Hunts for Top-Notch Affiliates

    May 20, 2020

    The NetWalker ransomware – the scourge behind one of the recent Toll Group attacks – has transitioned to a ransomware-as-a-service (RaaS) model, and its operators are placing a heavy emphasis on targeting and attracting technically advanced affiliates, according to researchers. Traditionally, “technically advanced” and RaaS don’t tend to go together – after all, one of the benefits of ...

  • ‘Flight risk’ employees involved in 60% of insider cybersecurity incidents

    May 20, 2020

    Employees planning to leave their jobs are involved in 60% of insider cybersecurity incidents and data leaks, new research suggests. According to the Securonix 2020 Insider Threat Report, published on Wednesday, “flight risk” employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months ...

  • Verizon’s 2020 DBIR

    May 19, 2020

    Verizon’s 2020 DBIR is out, you can download a copy or peruse their publication online. Kaspersky was a contributor once again, and we are happy to provide generalized incident data from our unique and objective research. We have contributed to this project and others like it for years now. This year’s ~120 page report analyses data from ...

  • NXNSAttack technique can be abused for large-scale DDoS attacks

    May 19, 2020

    A team of academics from Israel has disclosed today details about NXNSAttack, a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions. According to the research team, NXNSAttack impacts recursive DNS servers and the process of DNS delegation. Recursive DNS servers are DNS systems that pass DNS queries upstream in order to ...

  • Hacker arrested in Ukraine for selling billions of stolen credentials

    May 19, 2020

    The Ukrainian Secret Service (SSU) announced today the arrest of a hacker known as Sanix, responsible for selling billions of hacked credentials on hacking forums and Telegram channels. The SSU says it arrested Sanix in Ivano-Frankivsk, a city in western Ukraine. Authorities did not release the hacker’s name. Sanix has a long history on underground hacking forums, ...

  • Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding

    May 18, 2020

    Unit 42 researchers uncovered a new botnet campaign using Perl Shellbot, intended to mine Bitcoin, while avoiding detection using a specially crafted rootkit. The bot is propagated by sending a malicious shell script to a compromised device that then downloads other scripts. After the victim device executes the downloaded scripts, it starts waiting for commands from its ...

  • Easyjet hacked: 9 million people’s data accessed plus 2,200 credit card details grabbed

    May 17, 2020

    Budget British airline Easyjet has been hacked, it has told the stock markets, admitting nine million people’s details were accessed and more than 2,000 customers’ credit card details stolen. Some information about the attack was released to the London Stock Exchange by the company, which claimed it had been targeted by “a highly sophisticated source”. Email addresses and “travel ...

  • Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways

    May 14, 2020

    As part of Unit 42’s efforts to proactively monitor threats circulating in the wild, I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019. There is no ...

  • Login with Facebook Bug Earns $20K Bounty

    May 14, 2020

    Facebook has awarded a security researcher $20,000 for discovering a cross-site scripting (XSS) vulnerability in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method. Exploitation could allow threat actors to hijack accounts. Security researcher Vinoth Kumar identified a Document Object Model-based (DOM) ...

  • COMpfun authors spoof visa application with HTTP status-based Trojan

    May 14, 2020

    You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. If you’re wondering whether the actor behind the malware is still developing new features, the answer is yes. Later in November 2019 our Attribution Engine revealed a new Trojan with ...

  • QNodeService: Node.js Trojan Spread via Covid-19 Lure

    May 14, 2020

    We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan ...

  • COVID-19 blamed for 238% surge in cyberattacks against banks

    May 14, 2020

    The coronavirus pandemic has been connected to a 238% surge in cyberattacks against banks, new research claims. On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyberattack attempts between February and April this year — the same months in which COVID-19 began to spread ...

  • Texas Courts Won’t Pay Up in Ransomware Attack

    May 14, 2020

    A ransomware attack has hit the information technology office that supports Texas appellate courts and judicial agencies, leading to their websites and computer servers being shut down. The office said that it will not pay the ransom requested by the cybercriminals. Specifically affected is the Office of Court Administration (OCA), which is the IT provider for ...

  • This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones

    May 14, 2020

    A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user. Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather ...

  • UK electricity middleman hit by cyber-attack

    May 14, 2020

    Elexon, a crucial middleman in the UK power grid network, reported that it fell victim to a cyber-attack earlier today. In a short message posted on its website, the company said the incident only impacted its internal IT network and employee laptops. The company’s email server was also impacted and had been taken down, cutting employees off from crucial ...

  • Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments

    May 12, 2020

    Tropic Trooper, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities. Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such ...

  • COVID-19 Themed Malware Within Cloud Environments

    May 11, 2020

    Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related ...

  • Updated BackConfig Malware Targeting Government and Military Organizations in South Asia

    May 11, 2020

    Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia. The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including ...

  • Threats and Consequences A Security Analysis of Smart Manufacturing Systems

    May 11, 2020

    In the era of Industry 4.0, there has been increasing adoption of smart manufacturing technologies by organizations looking to improve their manufacturing efficiency. While this has provided plenty of benefits, such as enhanced productivity at lower costs, it has also introduced new attack vectors that can be exploited by threat actors looking to gain a foothold ...