Highlights
Two more weeks have gone by. Phishing campaigns and ransomware continue to be in the spotlight, tormenting businesses across the globe.
In this edition of the newsletter we will cover:
- Ransomware attacks
- Massive phishing campaigns
- New vulnerabilities
Ransomware attacks
Microsoft has issued a warning about a new strain of the Android MalLocker ransomware which abuses incoming call notifications and the operating system’s Home button to lock the infected devices. What makes this malware more intriguing is the “the presence of a yet-to-be-integrated machine learning model that could be used to fit the ransom note image within the screen without distortion”.
Several Coronavirus research facilities – IQVIA, which manages AstraZeneca’s COVID-19 vaccine trial, and Bristol Myers Squibb, a drug manufacturer developing a quick test for the virus – have been affected by ransomware attacks. According to the two companies, the impact had been limited thanks to proper backups. In addition, IQVIA was not aware of any confidential data or patient information related to the clinical trial activities being removed, compromised, or stolen.
In another ransomware incident, Germany’s tech giant Software AG, which has a site in Bulgaria among other countries, has been hit with the CL0P cryptovirus. The company’s internal network has been breached and evidence of some of the exfiltrated files has been posted on the leak site of the malware’s operator.
Massive phishing campaigns
Greathorn researchers are warning of massive phishing campaigns aimed at Office 365 and Gmail users, redirecting unsuspecting victims to fraudulent login pages to steal their credentials or to deploy malicious loaders. On a separate note, Toolbox reports that cyber experts at Menlo Security have detected a campaign using multiple CAPTCHA images to convince victims to share their personal details.
New vulnerabilities
UK’s National Cyber Security Centre has been raising awareness about a new security vulnerability, CVE2020-16952, affecting old versions of Microsoft SharePoint – SharePoint Foundation 2013 SP1, SharePoint Enterprise Server 2016 and SharePoint Server 2019. Successful exploitation can lead to remote code execution in the context of a local administrator account. The flaw exists due to the lack of proper validation of user-supplied data in the DataFormWebPart class. Authentication is necessary to exploit the vulnerability. Bearing in mind that a Python exploitation PoC is already available, organizations should patch with some urgency.
A security researcher (Yorick Koster) at Securify has found a Java deserialization vulnerability, CVE-2020-4280, in IBM’s Security Information and Event Management system – QRadar Community Edition v.7.3.1.6 – which exposes the platform to remote code execution attacks. Java client applications convert objects into streams of bytes and then send them to the server. The server then deserializes them into their original form before processing. The problem is that some of the methods in QRadar’s RemoteJavaScript Servlet implementation use an old SerializationUtils class which does not properly handle deserialization. This allows attackers to send harmful data to the server.
Recommendation: Deploy “QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1”, “QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5”.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
Sources
Amatas, Cyware, The Hacker News, The Daily Swig, Securify, Dark Reading, Toolbox, Menlo Security, Microsoft, Rapid7, Info Security Magazine, CPO Magazine, Creative Commons