DHS Urges Pulse Secure VPN Users To Update Passwords

Forcepoint vpn patch

The DHS urged organizations to update their passwords and make sure that a critical Pulse Secure VPN flaw has been patched, as attackers continue to exploit the flaw.

The Department of Homeland Security (DHS) is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN.

DHS warns that the Pulse Secure VPN patches may have come too late. Government officials say before the patches were deployed, bad actors were able to compromise Active Directory accounts. So even those who have patched for the bug could still be compromised and are vulnerable to attack.

At the heart of the advisory is a known, critical Pulse Secure arbitrary file reading flaw that opens systems to exploitation from remote, unauthenticated attackers to gain access to a victim’s networks. Tracked as CVE-2019-11510, the bug was patched by Pulse Secure in April 2019, and many companies impacted by the flaw issued the fix to address the vulnerability since then.

But in many cases the damage is already done. Attackers have already exploited the flaw to snatch up victims’ credentials – and now are using those credentials to move laterally through organizations, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) warned in the Thursday alert.

“CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,” according to CISA’s alert. “If—after applying the detection measures in this alert—organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.”

The flaw exists in Pulse Connect Secure, Pulse Secure’s SSL VPN (virtual private network) platform used by various enterprises and organizations. Exploitation of the vulnerability is simple, which is why it received a 10 out of 10 CVSS ranking.  Attackers can exploit the flaw to get initial access on the VPN server, where they’re able to access credentials. A proof of concept (PoC) was made public in August 2019. During that time, Troy Mursch with Bad Packets identified over 14,500 Pulse Secure VPN endpoints that were vulnerable to this flaw. In a more recent scan, on Jan. 3, 2020, Mursch said 3,825 endpoints remain vulnerable.

One such vulnerable organization was Travelex, which took several months to patch critical vulnerabilities in its seven Pulse Secure VPN servers, according to Bad Packets. Some have speculated the lag time in patching these VPNs led to the eventual massive ransomware attack against Travelex.

Various other cybercriminals have targeted the Pulse Secure VPN flaw to compromise organizations, such as Iranian state sponsored hackers who leveraged the flaw to conduct cyber-espionage campaigns against dozens of companies in Israel.

In addition to urging organizations update credentials on accounts in Active Directory, which is the database keeps track of all organizations’ user accounts and passwords, CISA has also released a new tool to help network admins sniff out any indicators of compromise on their systems that are related to the flaw.

“CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks,” the advisory said.

Streaming TV Fraudsters Steal Millions of Ad Dollars in ‘ICEBUCKET’ Attack

icebucket streaming tv fraud ctv

Crooks manipulated connected TV supply-side ad platforms to create millions of fictional eyeballs.

A massive television ad fraud campaign that abuses the programmatic advertising ecosystem for connected TV (CTV) has successfully impersonated more than 2 million people in over 30 countries so far during its run, defrauding more than 300 different brands out of their ad dollars.

The recently uncovered CTV operation — named ICEBUCKET by the researchers at White Ops that discovered it – was bent on tricking advertisers into thinking there were real people watching TV on the other side of the screen, when in reality, they were bots pretending to be real people watching TV. In other words, the sellers of the ad inventory were bot-herders; and, they received money in exchange for running the ads – but the ads didn’t actually reach any human eyeballs.

A Word on Programmatic TV Advertising

CTV is generally defined as the ability to watch internet-streamed services on the big screen via smart TVs, set-top devices such as Roku, TiVo and others, or via app integrations found within cable provider services. CTV has especially caught fire in the last few years, especially with premiere streaming services offering top-tier original content. While a large portion of CTV advertising remains static and akin to traditional TV ads (i.e., inserted ahead of time with little user-specific targeting), programmatic advertising is starting to come into its own.

Programmatic advertising involves brands serving up dynamic, highly targeted ads within these video streaming services in an automated way, to specific slivers of demographic profiles – which is just like how advertising works on the internet as a whole. Advertisers can spend between $10 and $20 per 1,000 video ad impressions (this is known as the cost per million, or CPM) for programmatic ads, which makes them more expensive than other ad types.

In the television universe, programmatic marketing is carried out via complex, industry-specific programmatic ad systems. More specifically, a middle-man system known as a supply-side ad-insertion (SSAI) platform makes the connection between the brands that want to serve the ads and the companies that have the ad inventory that will be shown to subscribers. Those with inventory offer their wares within the SSAI environment, and the platform will then match up specific viewer attributes – in some cases down to very specific rich profile information – with targeted ad content.

SSAIs then “stitch” the appropriate ads into the fabric of video content on-the-fly, so that there aren’t the delays or hiccups typically caused by launching an ad player. Delivering video ad content through SSAI thus offers advertisers many benefits, including user personalization and latency reduction.

However, because there’s an automated platform in the middle, buyers and sellers typically don’t have a direct relationship, and the supply chain is less transparent than it could be – thus offering cybercrooks an opportunity, according to the researchers at White Ops.

“While SSAI is an elegant solution to ad serving, it’s still in its infancy. As with all new technologies, White Ops can see fraudsters finding the holes in the system and wiggling their way through,” according to an analysis published Thursday. “[In this case], fraudsters have found a way to spoof edge devices to replicate SSAI services….rather than show the ads to humans, the fraudsters call the reporting APIs indicating the ad has been ‘shown.’”

The Ongoing ICEBUCKET Campaign

ICEBUCKET is an ongoing operation, and while some of the fraud has been rooted out, more keeps cropping up. It’s a bit of a game of whack-a-mole, because the scope of the operation is significant, according to White Ops.

Timeline of the ICEBUCKET campaign. Click to enlarge.

At its peak in January, a full 28 percent of the programmatic CTV traffic that White Ops had visibility into, or around 1.9 billion ad requests per day, was fraudulent ICEBUCKET traffic.

“The operation … hid its sophisticated bots within the limited signal and transparency of server-side ad insertion (SSAI)-backed video ad impressions,” explained White Ops researchers, in an analysis published on Thursday. “The ICEBUCKET operation is the largest case of SSAI spoofing that has been uncovered to date.”

At its peak, ICEBUCKET used about 1,700 IPs for fake SSAI servers, located in nine countries; and more than 300 different legitimate app IDs from various publishers (these are assigned to specific viewer endpoints to be used for tracking). It also used more than 1,000 different user agents (i.e., the identifiers for different web browser or application types); around 500 of these were fake, created just for ICEBUCKET’s use.

“The user-agents used in the operation largely refer to obsolete device types that are no longer used in the general population, or devices that never existed in the first place,” explained White Ops.

To create the fictional viewers/eyeballs, ICEBUCKET also used at least 2 million spoofed IP addresses from 30+ countries (99 percent of which were located in the United States); White Ops said that the IP addresses showed signs of being algorithmically generated to mimic desirable audiences.

Further, the fraudsters masqueraded as a range of streaming devices, including pretending to be people using Roku devices (46 percent); Samsung Tizen Smart TVs (27 percent); GoogleTV, which was discontinued in 2014 (21 percent); and Android mobile devices (6 percent).

Rooting Out Fraud

One of the problems in uncovering fraud like this is a lack of visibility, according to White Ops, which explained that often, the information on inventory sources available to advertisers in an SSAI environment is limited to the device user-agent and IP address.

“While falsifying this data is relatively simple, the nuance of doing so convincingly makes this a form of a sophisticated bot attack,” the researchers explained. “The ICEBUCKET operation presented its traffic as coming from a legitimate SSAI provider (based on the inclusion of standard HTTP headers) for a variety of devices and apps, using custom code. ICEBUCKET assembled requests for ads to be inserted into video content for viewers using CTV and mobile devices, but none of those devices or viewers actually exist.”

Brands can protect themselves by working with advertising supply chains where there are direct relationships, so that they can consult frequently with ad tech partners, the firm noted. This will be especially important as more and more ad-supported streaming TV services are adopted by consumers.

“ICEBUCKET is an ongoing operation. The volumes have not gone down to zero,” White Ops researchers concluded. “Since CTV and SSAI spoofing are currently lucrative options for our adversaries due to the high [ad rates] on CTV consumers, we expect to see similar operations start, or that existing operations may shift from web and mobile toward CTV traffic.”

Alleged Zoom Zero-Days for Windows, MacOS for Sale, Report

Alleged Windows flaw allows for remote code execution and is being flogged for $500,000.

Hackers claim they have discovered two zero-day vulnerabilities for the Zoom video conferencing platform that would allow threat actors to spy on people’s private video conferences and further exploit a target’s system.

Flaws target Zoom clients for the Windows and the MacOS operating system, according to a published report by Vice Motherboard. According to the report, the hackers are asking $500,000 for the Windows exploit. The article cites two unnamed cybersecurity zero-day brokers who claim hackers have approached them in an attempt to sell the zero-day code.

It’s important to note, the Motherboard report states brokers have not reviewed the actual zero-day code and are basing opinion on what hackers are claiming to have for sale. According to the article, hackers allege the Windows-based exploit is a Remote Code Execution bug that would need to be chained to an additional exploit to infiltrate a target’s system. As for the macOS-base Zoom zero-day,  it can only be executed locally, meaning it is not a RCE-class bug, according to the report.

In a statement to Motherboard, Zoom said it could not find evidence substantiating the claims made by the publication. One of the Motherboard sources speculated the hackers behind the alleged exploits are “just kids who hope to make a bang”.

The Windows code could be a significant threat to Zoom users, according to experts quoted by Motherboard. “[It is] a nice, a clean RCE perfect for industrial espionage.”

The Windows-based zero-day exploit includes an additional prerequisite that requires the attacker to be a Zoom meeting participant with its target to launch the alleged attack.

Earlier this month, Zoom did patch two zero days in its macOS client that could give local, unprivileged attackers root privilege allowing access to victims’ microphone and camera.

Zoom Woes Have Been Mounting 

There is already evidence that Zoom enterprise and business users have been compromised by hackers. Last week, researchers uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials, including usernames and passwords for Zoom corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers and software vendors.

News of the vulnerabilities is the latest issue to plague Zoom since a surge in its use over the last month or so since governments around the world issued stay-at-home orders in the wake of the COVID-19 pandemic. Usage of the video-conferencing service has skyrocketed as millions have turned to the free platform to connect with friends, host work meetings, attend school lessons and do myriad other online activities.

Zoomboombing became the initial way hackers would break into video conferences, using the ease with which they could access links to Zoom conferences and jump on calls uninvited to disrupt them with pornography, hate speech or even physical threats to users.

Zoom eventually made a tweak to its user interface by removing meeting ID numbers from the title bar of its client interface to mitigate the attacks from threat actors. Before the tweak, anyone could join a Zoom meeting if they knew the meeting link, which many users would send via social-media channels.

A raft of other security threats emerged soon after, forcing Zoom to take action to mitigate and eliminate these threats. Zoom eliminated a feature called LinkedIn Sales Navigator that came under fire for “undisclosed data mining” of users’ names and email addresses, which the service used to match them with their LinkedIn profiles.

The company is currently facing a class-action lawsuit filed last week by one of its shareholders which alleges that the company made “materially false and misleading statements” that overstated its privacy and security measures, and claims that Zoom didn’t disclose its lack of end-to-end encryption.

All of these mounting woes inspired Zoom last week to recruit an industry heavy-hitter – former Facebook CISO Alex Stamos – to provide special counsel as well as name third-party expert security advisory teams to help clean up its act.

Cisco IP Phone Harbors Critical RCE Flaw

ciso ip phone critical rce bug

Cisco stomped out a critical vulnerability in its IP Phone web server that could enable remote code execution by an unauthenticated attacker.

Cisco is warning of a critical flaw in the web server of its IP phones. If exploited, the flaw could allow an unauthenticated, remote attacker to execute code with root privileges or launch a denial-of-service (DoS) attack.

Proof-of-concept (PoC) exploit code has been posted on GitHub for the vulnerability (CVE-2020-3161), which ranks 9.8 out of 10 on the CVSS scale. Cisco issued patches in a Wednesday advisory for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.

According to Jacob Baines with Tenable, who discovered the flaw, Cisco IP phone web servers lack proper input validation for HTTP requests. To exploit the bug, an attacker could merely send a crafted HTTP request to the /deviceconfig/setActivationCode endpoint (on the web server of the targeted device).

This triggers a stack-based buffer overflow due to the lack of input validation: “In libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked,” according to Baines.

The end result is the attacker being able to crash the device, or even potentially execute code remotely.

Affected products include: IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831 and Wireless IP Phone 8821 and 8821-EX.

Of note, according to Cisco, some of these products (particularly the Wireless IP Phone 8821 and 8821-EX) are utilized by the healthcare industry who are currently on the frontlines of the coronavirus pandemic.

critical cisco flaw IP Phone

Cisco has also confirmed various products that aren’t affected by the flaw on its website. Beyond Cisco’s patches, one mitigation for the flaw is disabling web access on the IP phones (in fact, web access is disabled by default on IP phones), according to Cisco.

New findings by Tenable’s Baines also led Cisco to bump up the severity of a previously-discovered vulnerability (CVE-2016-1421) in its IP phones to critical on Wednesday. Previously the flaw was medium-severity (ranking 5 out of 10 on the CVSS scale).

However, Baines found that the flaw could be exploited by an unauthenticated actor (previously Cisco said exploiting the flaw required authentication) and could potentially enable remote code execution as well as DoS (previously Cisco found it could only enable DoS). Baines also found a produce, the Wireless IP Phone 8821, to be vulnerable that wasn’t listed on the affected list.

Other Critical Flaws

Cisco Wednesday also addressed critical- and high-severity flaws tied to nine CVEs in its Cisco Unified Computing System (UCS) Director and Cisco UCS Director Express for Big Data. Cisco UCS Director is an end-to-end management platform for various Cisco and non-Cisco data infrastructure components. Cisco UCS Director Express for Big Data is an open private-cloud platform that delivers Big-Data-as-a-Service on premises.

The flaws (CVE-2020-3239, CVE-2020-3240, CVE-2020-3243, CVE-2020-3247, CVE-2020-3248, CVE-2020-3249, CVE-2020-3250, CVE-2020-3251, CVE-2020-3252) exist in the REST API for both products, and may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. Below is a list of affected products and the fixed releases.

critical cisco flaw

Steven Seeley of Source Incite, working with Trend Micro’s Zero Day Initiative, was credited with reporting the flaws.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory,” according to Cisco.

Tencent Ups Top Bug-Bounty Award to $15K

tencent hackerone bug bounty

The Chinese ISP has expanded its program via HackerOne.

The Tencent Security Response Center (TSRC) is launching an expanded bug-bounty program, via the HackerOne white-hat platform – and the company has increased its top reward to $15,000.

Tencent, a China-based global internet service provider, is opening up its existing bug-bounty program to HackerOne’s community of 600,000+ bug hunters, to widen the company’s vulnerability reporting and technical sharing efforts, it said in a launch notice on Tuesday. Tencent will also pay out its bounty payments via HackerOne’s platform from now on.

The top award in the program is now $15,000 for “quality reports on eligible valid vulnerabilities” that are critical-rated, according to the program details – an increase from $5,000 previously. As for what’s eligible and valid, awards are available across Tencent’s products and services, as well on its carrier networks.

Attacks on ISP networks and services can take many forms. Tencent said that it’s mainly interested in bugs that enable: cross-site scripting (XSS); cross-site request forgery (CSRF); server-side request forgery (SSRF); SQL injection; remote code execution (RCE); XML external entity attacks (XXE); access control issues (insecure direct object reference issues, etc.); exposed administrative panels; directory traversal issues; local file disclosure (LFD); and data leakage/data breach/information disclosure issues.

“Any design or implementation issue that is reproducible and substantially affects the security of Tencent users is likely to be in scope for the program,” according to TSRC.

Below is a general chart of what’s in-scope:

“Online security for our products and platforms is a top priority for Tencent,” said Juju Zhu, COO of TSRC, in a media statement. “While we develop and deploy advanced technologies to safeguard our platforms, we also collaborate with professional white hackers’ networks to help us enhance our security protection for our products and our users. We are the first company in China to set up a Security Response Center, and now by partnering with Hacker One, we expect to receive constructive research results from a larger, global community of security experts.”

According to HackerOne platform data in the 2019 Hacker-Powered Security Report, bug-bounty programs in the Asia-Pacific region have increased by 30 percent in 2019, thanks to new programs from China’s Ministry of Defence (MINDEF) and Government Technology Agency (GovTech), Toyota, Nintendo, Grab, Alibaba, LINE, OPPO, OnePlus and others.

MSC Data Center Closes Following Suspected Cyber-Attack

A container shipping company has said malware could be to blame for the closure of one of its data centers last week.

The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing. 

The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company’s myMSC portal. 

A message posted from the Twitter account MSC Cargo on April 10 stated: “We are sorry to inform you that http://MSC.com and myMSC are currently not available as we’ve experienced a network outage in one of our data centers. We are working on fixing the issue.”

As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.

“All our departments, terminals and depots are operating without disruptions,” said MSC. “Customers can still book via INTTRA and GT Nexus, which are both fully functional, or place bookings via email.”

While an investigation into what caused the data network outage is ongoing, MSC said that there was a chance that a cyber-attack could be at the root of the problem. 

In a message posted on Twitter on April 10, MSC said: “At this point in time we cannot rule out entirely the possibility of malware, but we can confirm that our agencies worldwide network is working. And that our local agents support customers for all services as usual.”

Following the incident, the container shipping company has closed down its servers at its headquarters in the Swiss city of Geneva. MSC said that the incident had only affected internal data processes and that the servers had been closed for security reasons. 

In a tweet shared on April 12, MSC appeared confident that a fix was just around the corner, writing, “Significant progress has been made to solve the network outage, and we are confident the issue will be solved shortly. We will continue to issue regular updates.”

TikTok Flaw Allows Threat Actors to Plant Forged Videos in User Feeds

The popular video-sharing apps’s use of HTTP to download media content instead of a secure protocol could lead to the spread of misinformation on the platform.

A security weakness in the popular TikTok video-sharing service allows a local attacker to hijack any video content streamed to a user’s TikTok feed and swap it out with hacker-generated content.

Researchers created a proof-of-concept (PoC) hack using a technique called a man-in-the-middle (MiTM) attack against devices running the TikTok app. Video planted in user feeds appear to be legitimate content.

The flaw is that the TikTok app uses insecure HTTP for video content in an effort to improve the speed with which it can transfer data, researchers Talal Haj Bakry and Tommy Mysk asserted in a blog post Monday. However, this lack of protection also allows threat actors to easily identify and alter any HTTP traffic—including videos—flowing over the network, they said.
Like all social media apps with a large user base, TikTok relies on content delivery networks (CDNs) to distribute their massive data geographically,” Bakry and Mysk wrote. “TikTok’s CDN chooses to transfer videos and other media data over HTTP. …HTTP traffic can be easily tracked, and even altered by malicious actors.”

Bakry is a senior iOS developer at NuraLogix Corp. while Mysk is a DJ and music producer.

The vulnerability is particularly worrisome, the two assert, as social media is used to spread misinformation and shape public opinion. This, they maintain, could make the popular video-sharing app the latest platform for threat actors to engage in spreading lies and sowing division among users of TikTok.

In their proof-of-concept attack, Mysk and Bakry demonstrated how popular TikTok users, using verified accounts, could have their video streams hijacked to show misleading videos downplaying the severity of the COVID-19 pandemic.

“The circulation of misleading and fake videos in a popular platform such as TikTok poses huge risks,” researchers wrote. “That encouraged us to stage a man-in-the-middle attack to swap videos and demonstrate the results.”

According to Mysk, video content, TikTok profile images and static video images are all vulnerable to attack because they are transmitted from regional content delivery networks (CDNs) using the insecure hypertext transfer protocol (HTTP) protocol instead of the encrypted hypertext transfer protocol secure (HTTPS) protocol.

Leading CDNs such as Apple and Google already have technologies and settings built into iOS and Android, respectively, that require HTTP connections to use encrypted HTTPS to secure the transmission of data. However, they both have provided a way for developers to opt-out of HTTPS for backwards-compatibility, which “should be the exception rather than the rule,” researchers wrote.

TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) still use unencrypted HTTP to connect to the TikTok CDN, Bakry and Mysk noted. They urged TikTok, “a social networking giant with around 800 million monthly active users,” to fix the problem as soon as possible and “adhere to industry standards in terms of data privacy and protection.”

Carrying out the attack requires an adversary to control the router someone is using to access the internet and TikTok. Next, the attacker can redirect HTTP requests for video content, which is part of a TikTok user’s stream, to a hacker-controlled server. That allows the attacker to perform a MiTM attack, manipulate any data sent via HTTP and deliver hacker-controlled video content instead of the legitimate TikTok user’s content.

In their PoC, researchers hosted their forged videos on a server that mimics the behavior of TikTok CDN servers, v34[.]muscdn[.]com in a scenario that swaps out user videos for their fake ones. Because the server impersonates TikTok servers, the app cannot tell it’s an impostor, researchers said.

“The trick to direct the app to our fake server is simple; it merely includes writing a DNS record for v34[.]muscdn[.]com that maps the domain name to the IP address of our fake server,” researchers wrote. “This can be achieved by actors who have direct access to the routers that users are connected to.”

In addition to random threat actors with various agendas, others that can use the TikTok vulnerability to create and spread fake videos include: Wi-Fi operators, which can configure the router to use a corrupt DNS server; malicious VPN providers and ISPs such as telecoms which can configure a corrupt DNS server for their users; or governments and intelligence agencies, which can force ISPs to install tools that track or alter data, researchers warned.

“If you distrust any of these actors, then what you watch on TikTok may have been altered,” Bakry and Mysk wrote. “This also applies to any internet service that uses HTTP.”

Cybercriminals Target’s Healthcare Orgs on Coronavirus Frontlines

covid-19 cyberattacks target hospitals

Cybercriminals aren’t sparing medical professionals, hospitals and healthcare orgs on the frontlines of the coronavirus pandemic when it comes to cyberattacks, ransomware attacks and malware.

Recent malware campaigns reveal that cybercriminals aren’t sparing healthcare firms, medical suppliers and hospitals on the frontlines of the coronavirus pandemic.

Researchers have shed light on two recently uncovered malware campaigns: one targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide.

The emails sent to these unnamed organizations purported to send COVID-19 medical supply data, critical corporate communications regarding the virus or coronavirus details from the World Health Organization (WHO) – but actually aimed to distribute ransomware, infostealer malware and more.

These recent campaigns are the tip of the iceberg when it comes to cybercrime targeting organizations in the healthcare space, researchers said. “Despite prior reporting by various sources indicating that some cyber-threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks,” said Adrian McCabe, Vicky Ray and Juan Cortes, security researchers with Palo Alto Networks’ Unit 42 team, in a Tuesday post.

Ransomware Attacks

Between March 24 – 30, researchers observed various malicious emails attempting to spread ransomware to several individuals associated with an unnamed Canadian government health organization actively engaged in COVID-19 response efforts, as well as a Canadian university that is conducting COVID-19 research.

The emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a rich text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability (CVE-2012-0158) in Microsoft Office, which allows attackers to execute arbitrary code.

ransomware coronavirus cyberattack

When opened, the malicious attachment drops a ransomware binary to the victim’s disk and then executes it. To avoid detection, the dropped binary has a hidden attribute set, which is used when some content is obsolete and no longer necessary, to completely hide details from the user. The binary also uses an Adobe Acrobat icon to further cloak its true purpose.

After further analysis of the code structure of the binary and the host-based and network-based behaviors, researchers determined that the malware is an open-source ransomware variant called EDA2, which is associated with a larger, parent ransomware family called HiddenTear.

After execution, the victim receives a ransomware infection notification display on their desktop, which states: “If you want to unlock your files you must sent .35 BTC [Bitcoin] to this address,” and then gives an address for where to send the ransom payment. The ransomware binary then encrypts various files extensions, including “.DOC”, “.ZIP”, “.PPT” and more. Of note, “this ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and directories that are on the victim’s desktop,” said researchers.

Researchers said the ransomware samples in this campaign weren’t successful in reaching their intended victims. Other targets haven’t been so lucky, however. Despite ransomware gangs recently pledging that they would stop attacking hospitals in the midst of the pandemic, cyberattacks continue. Several hospitals have been targeted by the Ryuk ransomware, according to security researcher “PeterM” on Twitter.PeterM@AltShiftPrtScn

I can confirm that #Ryuk ransomware are still targeting
hospitals despite the global pandemic. I’m looking at a US health care provider at the moment who were targeted overnight. Any HC providers reading this, if you have a TrickBot infection get help dealing with it ASAP.267Twitter Ads info and privacy216 people are talking about this

Hammersmith Medicines Research, a London-based healthcare provider that was working with the British government to test COVID-19 vaccines, was also recently hit by a ransomware attack. The Maze ransomware operators, which launched the attack, later posted the stolen data online.

Malware Attacks

Unit 42 researchers also spotted a separate campaign targeting various organizations, including medical organizations and medical research facilities located in Japan and Canada, with the AgentTesla malware. Other firms targeted by this malware include a United States defense research entity, a Turkish government agency managing public works, and several large technology and communications firms headquartered in Canada, Germany and the United Kingdom (all unnamed).

The malspam emails used the coronavirus as a lure, with a malicious attachment pretending to be a “COVID-19 Supplier Notice” or a “Corporate advisory” for coronavirus.

ransomware coronavirus cyberattack

The email address sending the malspam emails, “Shipping@liquidroam[.]com,” uses a legitimate business domain for LiquidRoam, which provides sales of electric skateboards. This led researchers to conclude that the domain has been compromised and that the infrastructure is being used by cybercriminals.

The attachments for the emails were actually droppers delivering variants of the AgentTesla malware family. AgentTesla, an info-stealing malware which has been around since 2014, is sold in multiple forums commonly visited by cybercriminals, and is one of the top malware families of choice of the SilverTerrier threat actor, known for business email compromise (BEC) campaigns.

“All the associated samples connected to the same C2 domain for exfiltration: ‘ftp[.]lookmegarment[.]com,’” researchers said. “Our analysis also shows that the AgentTesla samples had hard-coded credentials used to communicate with the C2 over FTP.”

Attackers continue to leverage coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams.

“It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are on the front lines and responding to the pandemic on a daily basis,” said Unit 42 researchers.

Cisco’s Phishing Attack which Steals Webex Credentials

cisco webex meeting phishing

Emails purporting to be a Cisco “critical security advisory” are actually part of a phishing campaign trying to steal victims’ Webex credentials.

An ongoing phishing campaign is reeling in victims with a recycled Cisco security advisory that warns of a critical vulnerability. The campaign urges victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead.

The campaign is looking to leverage the wave of remote workers who, in the midst of the coronavirus pandemic have come to rely on online conferencing tools like Webex (as well as Zoom and other platforms). With this upward spike in online meetings, compromised Webex credentials could be a cybercriminal’s golden ticket into web conference calls where sensitive files and data are shared (among other malicious activities).

“Targeting users of teleconferencing brands is nothing new,” said Ashley Tran with Cofense’s phishing defense center, in a Thursday analysis. “But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.”


Researchers said the phishing emails are being sent with various attention-grabbing subject lines, such as “Critical Update” or “Alert!” and come from the spoofed email address, “meetings@webex[.]com”.

Researchers told Threatpost, this was a mass “spray and pray” phishing campaign with “numerous end users” receiving and reporting the email from several several industries, including the healthcare and financial spaces.

“With the subject and mail content combined, this may [engage] users’ curiosity enough to entice them click in order to take the requested action,” said Tran.

The body of the email embeds content from a real Cisco Security Advisory from December 2016, along with Cisco Webex branding. The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems; at the time of disclosure in 2016, it was being exploited in the wild. However, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release (also in 2016).

cisco Webex phishing campaign

“In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further,” said the Confense researcher. “The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223.’”

The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and points them to a “Join” button to learn more about the “update.”

The attackers behind this campaign appear to be meticulous in the details, right down to the URL linked to the “Join” button. If more cautious email recipients hover over the button to check the URL, they’ll find the URL [hxxps://globalpagee-prod-webex[.]com/signin] to be strikingly similar to the legitimate Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].

The Landing Page

Victims who click on the “Join” button are redirected to the phishing landing page, which is identical to the legitimate Cisco WebEx login page. Researchers said one small difference is that when email addresses are typed into the legitimate Webex page, entries are checked to verify if there are associated accounts. On the phishing page, meanwhile, any email format entry takes the recipient directly to the next page to request their password.

The threat actor registered the fraudulent domain tied to the landing page through the Public Domain Registry just days before sending out the phishing emails. The fraudulent domain was still live and active as of Wednesday, researchers said.

cisco Webex phishing campaign

“The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users,” researchers said. “While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.”

Researchers warn users to stay on the lookout for bad actors spoofing web conferencing and virtual collaboration apps. In general, attackers are taking advantage of the panic around the coronavirus with phishing emails around financial reliefpromises of a cure and symptom information details.

Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update

oracle critical security update

Oracle will detail 405 new security vulnerabilities Tuesday, part of its quarterly Critical Patch Update Advisory.

Oracle admins are staring down the barrel of a massive quarterly Critical Patch Update that includes 405 patches.

Business software giant Oracle Corp. revealed 286 of those vulnerabilities are remotely exploitable across nearly two dozen product lines.

Impacted with multiple critical flaws, rated 9.8 CVSS in severity, are 13 key Oracle products including Oracle Financial Services Applications, Oracle MySQL, Oracle Retail Applications and Oracle Support Tools, according to the company’s April Critical Patch Update Pre-Release Announcement, posted Monday.

Each of the bugs will be addressed with mitigation advice or patches by Oracle on Tuesday, coinciding with Microsoft’s April’s Patch Tuesday release of fixes. That will keep system and network admins taxed with a flood of critical vulnerabilities to contend with.

Oracle’s Fusion Middleware alone is reporting 49 “vulnerabilities [that] may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” according to the bulletin.

Oracle said in total, its Fusion Middleware family of software has 56 new security patches affecting nearly 20 related services, including Identity Manager Connector (v. 9.0), Big Data Discovery (v. 1.6) and WebCenter Portal (v. 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0).

The mammoth update also includes medium-severity flaws for its Java Platform, Standard Edition (Java SE), use for developing and deploying Java applications. Fifteen bugs, with an CVSS rating of 8.5, are remotely exploitable by an unauthenticated attacker over a network – no user credentials required.

Details of the Java SE bugs, along with technical insights and mitigation guidance for all 405 flaws, will be available Tuesday.

Oracle also patched 34 critical vulnerabilities in the Oracle Financial Services Applications suite, 14 of those being remotely exploitable. Forty-five bugs in Oracle MySQL were identified, nine being remotely exploitable with a CVSS rating of 9.8.

Oracle’s popular Database Server line had just nine security bugs, two are remotely exploitable and have a CVSS rating of 8.0. As with many other Oracle products impacted by flaws this quarter, Oracle said none of the Database Server bugs “are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.”