This week’s roundup provides a short overview of the most interesting events in a world of information and cyber security, including cyber attack against the UK government contractor Interserve, a new threat called Blue Mockingbird, and more.
Security researchers have discovered an interesting cryptomining campaign that infects Windows machines with Monero cryptocurrency-mining malware.
Dubbed Blue Mockingbird, the campaign exploits a deserialization vulnerability (CVE-2019-18935) in the Progress Telerik UI for ASP.NET AJAX, which can allow remote code execution.
In the observed attacks the threat actor deployed XMRig Monero-mining malware by exploiting unpatched versions of Progress Telerik UI for ASP.NET AJAX and used multiple techniques to achieve persistence on the system.
Last week the US authorities have officially accused hackers linked with Chinese government of conducting attacks against U.S organizations involved in COVID-19-related research.
Although U.S officials did not revealed details concerning alleged attacks, they urged medical organizations to stay vigilant and report suspicious cyber activity.
Interserve, one of Britain’s biggest government contractors, has suffered a cyber attack that reportedly resulted in theft of sensitive infirmation of up to 100,000 current and former employees.
While the company did not disclose any details regarding data breach, according to media reports, stolen data included names, bank details, payroll information, personnel and disciplinary records.
Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, has also become a victim of a cyber attack that impacted only “a limited IT systems outage.” The company said the intrusion only impacted its corporate network and did not affect its ATMs or customer networks.
The systems at Diebold Nixdorf were reportedly infected by the ProLock ransomware previously known as PwndLocker. The company said it did not pay the ransom demanded by the attackers, and refused to discuss the ransom amount.
According to a security alert released by the FBI earlier this month, the ProLock ransomware gains access to hacked networks via the Qakbot (Qbot) trojan. The agency did not say whether the ProLock ransomware was created and managed by the Quakbot crew, or whether the ransomware operators rent access to Qakbot-infected hosts part of a Crimeware-as-a-Service scheme.
Kaspersky researchers shared information on a new cyber espionage operation with a focus on diplomatic bodies in Europe that uses spoofed visa applications to deliver a new malware trojan.
The new malware is built from the same code base as the stealthy COMPFun remote access trojan (RAT) and may be the work of the Turla APT, a group that has a long history of using innovative methods to build malware and launch stealthy attacks.
The malicious application comes masqueraded as a Portable Executable (PE) file, a .DOC or a .PDF file. The dropper urges users to run the file as administrator and if the user accepts, it then installs the version of the trojan that corresponds to the host’s architecture (either a Windows 32- and 64-bit version).