Check up the most interesting cybersecurity headlines of the past week in our latest roundup, including three zero-days in Microsoft’s products, a leak of 500,000+ Zoom accounts on the darknet, a massive ICEBUCKET ad fraud campaign, and more.
Last week Microsoft has published its monthly roll-up of security updates known as Patch Tuesday, that fix 113 vulnerabilities in various products, including three Windows flaws that have been exploited in attacks for arbitrary code execution and privilege escalation. Two of the bugs (CVE-2020-1020 and CVE-2020-0938) are RCE-flaws that affect Windows Adobe Type Manager Library, and the third (CVE-2020-1027), is a Windows kernel flaw which allows a local user to escalate privilege to the system.
Dutch police said it took down 15 DDoS-for-hire services, which allowed users to sign up and launch DDoS attacks against any system exposed online. The authorities have also arrested a 19-year-old man fr om Breda suspected of having compromised two important Dutch government websites (MijnOverheid.nl and Overheid.nl) by carrying out DDoS attacks in March this year.
More than 500,000 Zoom accounts were found on sale on the dark web and hacker forums for 0.0020 cents each, and in some cases accounts were given away for free. The credentials were not stolen fr om Zoom, but instead gathered via credential stuffing attacks wh ere threat actors attempt to login to Zoom using accounts leaked in older data breaches.
The account details included a victim's email address, password, personal meeting URL, and their HostKey. In some cases the accounts belonged to well-known companies, such as JPMorgan Chase Bank N.A. and Citigroup Inc.
Furthermore, in the past week reports emerged claiming that an exploit for critical remote code execution vulnerability in Zoom Windows app is being offered for sale for $500,000. This flaw would allow attackers to spy on communications. The hackers also selling an exploit for another less dangerous bug affecting Zoom video conferencing platform’s macOS client.
However, Zoom said that it “have not found any evidence substantiating these claims.”
Operators behind Nemty ransomware announced that they decided to abandon their public RaaS operation and switch to a private operation instead. Victims have been given a week to pay for decryptors before all servers would be shut down.
Soon after the announcement was made, the Nemty gang shut down its "leak site," a portal wh ere they publish files belonging to companies that refused to pay ransom demands.
Researchers from White Ops uncovered “the largest and widest Connected TV (CTV) related fraud operation to date”. Dubbed ICEBUCKET, at its peak the bot operation impersonated more than 2 million people in over 30 countries.
The ICEBUCKET operation involved cyber crooks using software bots to trick advertisers into thinking there were real viewers watching their ads on the other side of the smart TV screen. Using this tactic the fraudsters fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.
Portuguese energy giant EDP got hit by a cyberattack, which resulted in a theft of 10 TB of sensitive company files, including confidential information on billing, contracts, transactions, clients, and partners.
One of the major European operators in the energy sector has suffered from the Ragnar Locker ransomware attack, and now the company is facing a 1580 BTC (~ €10m) ransomware demand to prevent release of sensitive information stolen by the malware operators.
Cisco Talos threat research team has revealed a new campaign aimed at Azerbaijan government officials and companies in the country’s wind industry. The attackers are using a new malware named PoetRat by the researchers due to the various references to English playwright William Shakespeare.
The hackers monitored specific directories in order to exfiltrate certain information on the victims and used a keylogger, browser credential stealers and Mimikatz and pypykatz for further credential harvesting.
Apart from malware attacks, the threat actor performed phishing attacks using website masqueraded as the webmail of the Azerbaijan Government webmail infrastructure. The attackers also expressed “an interest” in the control systems, known as Supervisory Control and Data Acquisition (SCADA) systems, used in wind turbines in Azerbaijan.