As usual, this week’s roundup contains a brief overview of the most interesting cyber security news that made headlines over the past few days.
Last week the US National Security Agency (NSA) has issued a security advisory warning organizations about cyber attacks against email servers, conducted by a threat actor known as Sandworm Team. The alert said the Sandworm hackers have been exploiting a vulnerability (CVE-2019-10149) in Exim mail transfer agent (MTA) software since at least August 2019.
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute commands with root privileges and to install software, modify data, and create new accounts by sending specially crafted email.
As part of a joint operation, Chinese tech companies Qihoo 360 and Baidu have hindered one of China's largest malware botnets named DoubleGuns that targets only users in China and is believed to have infected hundreds of thousands of victims to date.
The main purpose of DoubleGuns is to deliver MBR and VBR bootkits on infected devices, install various malicious drivers, and then steal credentials from local apps, such as Steam. The malware can also act as adware and is able to hijack QQ accounts to spread ads to the victim's friends via private messages.
Microsoft research team has issued a security alert warning organizations about ongoing attacks using a new piece of ransomware called PonyFinal that has been in the wild over the past two months.
PonyFinal is Java-based ransomware that is manually deployed by attackers. The PonyFinal ransomware, which appeared on the cybercrime scene earlier this year, has been seen in the attacks against victims in India, Iran, and the United States.
Researchers warn that the encryption scheme of the PonyFinal ransomware is secure and there is no way, at least for now, to recover encrypted files.
Security researchers have disclosed a new EoP-vulnerability that affects Android 9.0 and below. The flaw, dubbed StrandHogg 2.0, allows attackers to gain access to almost any app on an infected device.
Like the original StrandHogg bug, StrandHogg 2.0 allows malicious apps to masquerade as legitimate apps while remaining completely hidden. Once the malicious app has been installed on the device, it can access personal data such as SMS messages, photos, login credentials, track GPS movements, make and record phone calls, and spy on the users via the camera and microphone.
The US authorities arrested a Ukrainian national, Denys Iarmak, who is believed to be a member of the infamous hacking group FIN7, a gang allegedly responsible for stealing nearly $1 billion from enterprises in the United States.
Iarmak has been charged with conspiracy to commit wire and bank fraud, conspiracy to commit computer hacking, access device fraud, intentional damage to a protected computer, accessing a protected computer to commit fraud, and aggravated identity theft. The authorities said Iarmak was involved in the FIN7‘s spear-phishing campaign, which allowed hackers to gain unauthorized access to victim computers.
Japan’s Defense Ministry is conducting an investigation into possible leak of information related to communication networks involving Japan's Self-Defense Forces. following a cyber attack on NTT Communications, a subsidiary of Nippon Telegraph and Telephone (NTT) Corporation, the largest telecommunications company in Japan and one of the largest worldwide.
NTT Communications said that hackers compromised its internal network and stole information on 621 customers. Threat actors breached several layers of NTT’s IT infrastructure and reached an internal Active Directory to steal and upload data to a remote server.
NTT said it had identified external websites the attackers were using to communicate with their malware and shut off those access points.