This article offers an overview of some of last week’s most interesting cyber security news.
The Japanese antivirus maker Trend Micro has patched two 0Day flaws (CVE-2020-8467 and CVE-2020-8468) in its Worry-Free Business Security, Apex One and OfficeScan products that have been exploited in the wild. The first one affects migration tool component of Trend Micro Apex One and OfficeScan and allows to remotely execute arbitrary code on affected installations (RCE), while the second one allows an authenticated attacker to “manipulate certain agent client components.”
The vendor did not provide any details about how exactly these flaws were exploited, or who is behind the attacks.
As coronavirus infection continues to spread around the world, more and more cybercriminals are trying to take advantage of the people’s intense anxiety to steal money or infect computers with malware.
Last week security researchers reported that some online-scammers are masquerading as the World Health Organization (WHO) in an attempt to trick people into sending them Bitcoin as a donation to WHO’s COVID-19 Solidarity Response Fund.
Also, IBM X-Force researchers have warned about a new fishing campaign in which the cybercriminals are spreading emails purported to be from the World Health Organization with the goal of planting HawkEye keylogger on victims’ computers.
Once installed on a victim's machine, the malware will attempt to steal email and browser credentials including those used in Internet Explorer, Chrome, Safari, and Firefox browsers. HawkEye is able to log keystrokes, capture screenshots, and send stolen data to its operators via encrypted email.
While ransomware continues to be one of the most common and dangerous threats to organizations, last week it’s been reported that some leading ransomware gangs, namely DoppelPaymer and Maze ransomware operators, have pledged to hold back from attacking medical organizations during the current coronavirus pandemic.
However, despite the promise, the Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR), publishing personal details of thousands of former patients after the company declined to pay a ransom. According to the hacking group, the attack was conducted on 14 March - mere days after the Maze operators made the public promise not to attack medical research organizations.
France's CERT team has issued a warning following multiple reports about cyber attacks on local governments’ networks. It appears the attacks were carried out using a new version of the Mespinoza ransomware strain, also known as the Pysa ransomware.
The Mespinoza ransomware was first spotted in October last year. Once on a system, it will encrypt all files on the victim’s computer adding a '.locked' extension to all the locked files.
While the CERT-FR team has not been able to identify how exactly the Mespinoza/Pysa operators are compromising victim's networks, some evidence suggests that the gang may have launched brute-force attacks against management consoles and Active Directory accounts.
One of the most notorious hacking groups known as Pawn Storm (APT28, Fancy Bear, or Sednit) has started taking a new approach to phishing attacks. In particular, for the past year the group has been seen directly attacking web and cloud services and using previously hacked email accounts belonging to high-profile personnel working at defense firms in the Middle East to carry out the operation.
Once the hackers identify a vulnerable email server, they launch brute force attacks to steal credentials, exfiltrate email data and use the compromised email accounts to send out spam messages.