Two more weeks have gone by. Phishing campaigns and ransomware continue to be in the spotlight, tormenting businesses across the globe.
In this edition of the newsletter we will cover:
- Ransomware attacks
- Massive phishing campaigns
- New vulnerabilities
Microsoft has issued a warning about a new strain of the Android MalLocker ransomware which abuses incoming call notifications and the operating system’s Home button to lock the infected devices. What makes this malware more intriguing is the “the presence of a yet-to-be-integrated machine learning model that could be used to fit the ransom note image within the screen without distortion”.
Several Coronavirus research facilities – IQVIA, which manages AstraZeneca’s COVID-19 vaccine trial, and Bristol Myers Squibb, a drug manufacturer developing a quick test for the virus – have been affected by ransomware attacks. According to the two companies, the impact had been limited thanks to proper backups. In addition, IQVIA was not aware of any confidential data or patient information related to the clinical trial activities being removed, compromised, or stolen.
In another ransomware incident, Germany’s tech giant Software AG, which has a site in Bulgaria among other countries, has been hit with the CL0P cryptovirus. The company’s internal network has been breached and evidence of some of the exfiltrated files has been posted on the leak site of the malware’s operator.
Massive phishing campaigns
Greathorn researchers are warning of massive phishing campaigns aimed at Office 365 and Gmail users, redirecting unsuspecting victims to fraudulent login pages to steal their credentials or to deploy malicious loaders. On a separate note, Toolbox reports that cyber experts at Menlo Security have detected a campaign using multiple CAPTCHA images to convince victims to share their personal details.
UK's National Cyber Security Centre has been raising awareness about a new security vulnerability, CVE2020-16952, affecting old versions of Microsoft SharePoint – SharePoint Foundation 2013 SP1, SharePoint Enterprise Server 2016 and SharePoint Server 2019. Successful exploitation can lead to remote code execution in the context of a local administrator account. The flaw exists due to the lack of proper validation of user-supplied data in the DataFormWebPart class. Authentication is necessary to exploit the vulnerability. Bearing in mind that a Python exploitation PoC is already available, organizations should patch with some urgency.
Recommendation: Deploy “QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1”, “QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5”.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Cyware, The Hacker News, The Daily Swig, Securify, Dark Reading, Toolbox, Menlo Security, Microsoft, Rapid7, Info Security Magazine, CPO Magazine, Creative Commons