image
Cisco Systems is warning of a high-severity flaw affecting more than a half-dozen of its small business switches. The flaw could allow remote, unauthenticated attackers to access the switches’ management interfaces with administrative privileges. Specifically affected are Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Cisco said it was unaware of active exploitation of the vulnerabilities. Software updates remediating the flaws are available for some of the affected switches, however, others have reached end of life (EOL) and will not receive a patch. The flaw (CVE-2020-3297), which ranks 8.1 out of 10.0 on the CVSS scale, stems from use of weak entropy generation for session identifier values, a Wednesday Cisco security advisory said. “An attacker could exploit this vulnerability to determine a current session identifier through brute force and reuse that session identifier to take over an ongoing session,” according to Cisco’s advisory. In this way, an attacker can defeat authentication protections for the devices and obtain the privileges of the highjacked session account. If the victim is an administrative user, the attacker could gain administrative privileges on the device. Specifically affected by the issue are: Cisco 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed…

Source

image
A venerable point-of-sale (POS) malware called Alina that’s been around since 2012 is back in circulation, with a new trick for stealing credit- and debit-card data: Domain Name System (DNS) tunneling. DNS is the mechanism by which numeric IP addresses are linked to website names; DNS translates human-readable domain names to IP addresses so browsers can load internet resources. Researchers at Black Lotus Labs spotted a still-ongoing campaign that began in April, in which cyberattackers employed Alina to siphon off payment-card information, then used DNS to exfiltrate it. “To do this, malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name,” according to the researchers’ analysis, issued on Wednesday. “The encoded data is placed in a subdomain, which the malicious actors then extract when they receive the DNS query. The stolen data is subsequently sold in underground criminal markets.” In the most recent campaign, four domains showed similar, suspicious DNS queries that turned out to lead back to Alina: analytics-akadns[.]com; akamai-analytics[.]com; akamai-information[.]com; and akamai-technologies[.]com. A suspicious-looking fifth domain, sync-akamai[.]com, was unused, but it was hosted on the same IP, according to the researchers. “Actors often register multiple domains to provide redundancy if one or more of the malicious domains is blocked,” according to the analysis. The volume of queries that Black Lotus Labs observed…

Source

image
The new malware sample discovered this week, dubbed EvilQuest by security researchers, may be ushering in a new class of Mac malware, according to Thomas Reed, director of Mac and mobile with Malwarebytes. While EvilQuest pretends to be ransomware, in the background it’s actually using its ransomware functionalities as a front for exfiltrating large amounts of data, Reed said – the first type of Mac malware that he has seen doing so. EvilQuest also features the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems. Overall, the new malware sample points to a rapidly evolving Mac landscape. In fact, for the first time ever, in 2019 researchers found that Macs had outpaced Windows PCs in the number of threats that were detected per endpoint. Reed discusses EvilQuest and other Mac threats in this week’s Threatpost podcast. Listen below, or download direct here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/15048341/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Below find a lightly edited transcript of the podcast. Lindsey O’Donnell Welch: Hi, everyone, welcome back to the Threatpost podcast. You’ve got your host, Lindsey O’Donnell Welch here today with Threatpost. And we’re…

Source

image
Researchers have uncovered a surveillance campaign, dating back to at least 2013, which has used a slew of Android surveillanceware tools to spy on the Uyghur ethnic minority group. The campaign uses four Android surveillanceware tools, dubbed SilkBean, DoubleAgent, CarbonSteal and GoldenEagle. The purpose of these tools is to gather and exfiltrate personal user data to attacker-operated command-and-control (C2) servers. “Many samples of these malware tools were trojanized legitimate apps, i.e., the malware maintained complete functionality of the applications they were impersonating in addition to its hidden malicious capabilities,” said Lookout security researchers Apurva Kumar, Christoph Hebeisen and Kristin Del Rosso, in a Wednesday analysis. The malware families were used in a widespread campaigns that originated in China, which predominantly targeted Uyghurs, but also, to a lesser extent, Tibetans. The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in other spyware attacks, including by an ActionSpy campaign seen as recently as June. Researchers believe that the Uyghurs were being targeted due to the titles of the apps through which they were spread, and the in-app functionality of the spyware samples. Such titles include “Sarkuy” (Uyghur music service), “TIBBIYJAWHAR” (Uyghur pharmaceutical app) and “Tawarim” (Uyghur e-commerce site). Researchers say, the surveillance apps in the campaign were likely…

Source

image
Email is in crisis. Despite massive advancements in perimeter and endpoint defenses, email remains a cybersecurity weak link for many companies. Why? Email is at the heart of everything we do online. It’s an essential line of communication for one-on-one and group conversations, both business-to-business and business-to-consumer. It’s used for account activation, service registration, password resets, invoicing, purchase verification, opt-in confirmations, loyalty clubs, and identity verification. Adding to risk factors is the fact that a record number of employees are working from home. This is an environment where workers are more distracted and using less-secure networks and hardware. This is why it’s so critical to verify that the emails that land in your inbox are trustworthy and safe. Consider recent inbox attack trends. Phishing attacks are increasingly mutating fast, shifting tactics and lures constantly. One campaign hijacks the World Health Organization’s identity and offers dubious tips and dangerous links to COVID-19 resources. A message from an unknown sender appears as a personal note from one of your friends. Emails from “your CEO” ask for gift card donations to a charity. “Urgent” invoices from trusted “business partners” contain misleading bank information for wire transfers. Evading Existing Defenses The problem is that attackers have learned how to get through email security at all three defensive layers currently in use by most organizations: the…

Source

image
Microsoft has quietly pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library. Windows Codecs Library handles how the OS compresses large multimedia files such as photos and videos, and then decodes them for playback within applications. The out-of-band updates, addressing a critical-severity flaw (CVE-2020-1425) and important-severity vulnerability (CVE-2020-1457), were sent out via Windows Update Tuesday night and affect several versions of Windows 10 and Windows Server 2019. Both vulnerabilities allow for remote code execution “in the way that Microsoft Windows Codecs Library handles objects in memory,” according to the updates. CVE-2020-1425, if exploited, could allow an attacker to execute arbitrary code, while CVE-2020-1457 can be exploited to allow a bad actor to obtain information that would further compromise the user’s system. Both flaws can be exploited if users of affected systems open corrupted media files within applications that use the native Windows Codecs Library. Microsoft included a complete list of the Windows 10 and Windows Server distributions affected in its advisories, which offered little in terms of specific detail on the flaws. The company did say, however, that there are no mitigations or workarounds for the vulnerabities. Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively,…

Source

image
A rare new ransomware strain targeting macOS users has been discovered, called EvilQuest. Researchers say the ransomware is being distributed via various versions of pirated software. EvilQuest, first discovered by security researcher Dinesh Devadoss, goes beyond the normal encryption capabilities for run-of-the-mill ransomware, including the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems. EvilQuest samples have been found in various versions of pirated software, which are being shared on BitTorrent file-sharing sites. While this method of infection is relatively unsophisticated, it is common for other macOS malware variants – including OSX.Shlayer – “thus indicating it is (at least at some level) successful,” according to Patrick Wardle, security researcher with Jamf, in a Monday analysis. While Devadoss found the ransomware purporting to be a Google Software Update package, Wardle inspected a ransomware sample that was being distributed via a pirated version of “Mixed In Key 8,” which is software that helps DJs mix their songs. Another sample was analyzed Tuesday by Thomas Reed, director of Mac and mobile with Malwarebytes, in a malicious, pirated version of Little Snitch. Little Snitch is a legitimate, host-based application firewall for macOS. The malicious installer was found available for download on a Russian forum, dedicated to sharing torrent links. “The legitimate…

Source

image
Bug-bounty programs have become a popular way for vendors to root out security flaws in their platforms, attracting talented white-hats with the promise of big rewards. According to HackerOne’s 2020 List of the Top 10 Bug Bounty Programs on its platform, Verizon Media, PayPal and Uber are in the elite group. “These top 10 programs are setting the standard for how transparency breeds trust in security in collaboration with a team of diverse hackers from across the globe,” HackerOne CTO and co-founder Alex Rice said in an emailed statement. “At HackerOne, Default to Disclosure is one of our values. And while this isn’t a mandate for our customers and hackers, it is something we encourage every customer to think about. By sharing where we’re vulnerable, other defenders can learn, friendly hackers can learn, and we’re all safer in the end.” Verizon Media tops the list with $9.4 million paid out since it started its program in 2014, with its top bounty coming in at $70,000. It saw surging success this year, with awards all the way up from $1.8 million in the life of its program. That’s only one of several notable changes from the 2019 rankings. Also new for 2020, PayPal outstripped Uber, taking on the No. 2 position and relegating the ride-share giant to third place. That said, PayPal follows as a distant second with Verizon Media in terms of bounty volume (though it’s had less time than Verizon Media to rack up payments). It has so far paid out $2.8 million with $30,000 as its…

Source

image
The APT group known as StrongPity is back with a new watering-hole campaign, targeting mainly Kurdish victims in Turkey and Syria. The malware served offers operators the ability to search for and exfiltrate any file or document from a victim’s machine. The group (a.k.a. Promethium) is operating a series of bogus websites purporting to offer a range of popular software utilities. The tools on offer are trojanized versions of archivers, file-recovery applications, remote-connection applications, security software and more. These include 7-zip, WinRAR archiver, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities and RAR Password Unlocker. The sheer variety of the trojanized applications on offer in the latest campaign is a method aimed at casting a wide net in terms of victims’ interests, according to researchers at Bitdefender in a report released Tuesday. That’s not to say however that the attacks are devoid of targeting. The effort selectively targets victims using pre-defined IP list, researchers said; if the victim’s IP address matches one found in the installer’s configuration file, the attackers can deliver a tainted version of the trojanized application. Otherwise, they deliver a legitimate version. The IPs on the list appear to correspond to Kurdish targets, according to the research. And as with previous StrongPity campaigns, the malware, once installed, has an “exfiltration…

Source

image
The University of California, San Francisco (UCSF) has paid a $1.14 million ransom to recover data related to “important” academic work. The data was encrypted after the NetWalker ransomware reportedly hit the UCSF medical school. The UCSF, which includes a medical school and a medical center (UCSF Medical Center) as well as a graduate division, is a leading institution in biological and medical research. The university said that it first detected a “security incident” in its medical school’s IT environment on June 1. The attackers launched malware that encrypted a “limited number” of servers within the medical school, making them inaccessible. “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” said the university in a recent security update. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.” Threatpost reached out to UCSF for more information about how the cyberattack started and whether they have received a decryption key that works. The cyberattack did not affect the university’s patient care delivery operations, overall campus network, or COVID-19 work, it said. UCSF also said they “do not currently believe” patient medical records were exposed – but are continuing their investigation. “Our investigation is…

Source