Kwampirs Targeted Attacks Involving Healthcare Sector, (Tue, Mar 31st)Tue, 31 Mar 2020 00:52:46 GMT There is no honor among thieves. Even after some ransomware gangs claimed to seize targeting the healthcare sector, attacks continue to happen. But ransomware isn&#;x26;#;39;t alone. Last week, the FBI updated an advisory regarding the Kwampirs malware, pointing out the healthcare sector as one of its targets. Kwampirs isn&#;x26;#;39;t picky in its targeting. It has been observed going after various sectors (financial, energy, software supply chain, and healthcare, among others). One differentiator of Kwampirs is its modular structure. After penetrating a particular target network, the malware will load appropriate modules based on the targets it encounters. In general terms, Kwampirs is a "Remote Admin Tool" (RAT). It provides access to the target and can be used to execute additional payloads at the attacker&#;x26;#;39;s choosing.
Crashing explorer.exe with(out) a click, (Mon, Mar 30th)Mon, 30 Mar 2020 06:12:15 GMT In a couple of my recent diaries, we discussed two small unpatched vulnerabilities/weaknesses in Windows. One, which allowed us to brute-force contents of folders without any permissions[1], and another, which enabled us to change names of files and folders without actually renaming them[2]. Today, we'll add another vulnerability/weakness to the collection – this one will allow us to cause a temporary DoS condition for the Explorer process (i.e. we will crash it) and/or for other processes. It is interesting since all that is required for it to work is that a user opens a link or visits a folder with a specially crafted file.
Obfuscated Excel 4 Macros, (Sun, Mar 29th)Sun, 29 Mar 2020 14:53:19 GMT 2 readers (anonymous and Robert) submitted very similar malicious spreadsheets with almost no detections on VT: c1394e8743f0d8e59a4c7123e6cd5298 and a03ae50077bf6fad3b562241444481c1.
Malicious JavaScript Dropping Payload in the Registry, (Fri, Mar 27th)Fri, 27 Mar 2020 07:11:03 GMT When we speak about "fileless" malware, it means that the malware does not use the standard filesystem to store temporary files or payloads. But they need to write data somewhere in the system for persistence or during the infection phase. If the filesystem is not used, the classic way to store data is to use the registry. Here is an example of a malicious JavaScript code that uses a temporary registry key to drop its payload (but it also drops files in a classic way).
Two Zoom Zero-Day Flaws UncoveredWed, 01 Apr 2020 16:00:44 +0000 The zero-day Zoom flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.
Top Email Protections Fail in Latest COVID-19 Phishing CampaignWed, 01 Apr 2020 13:27:39 +0000 An effective spoofing campaign promises users important information about new coronavirus cases in their local area, scooting past Proofpoint and Microsoft Office 356 ATPs.
Zoom Scrutinized As Security Woes MountTue, 31 Mar 2020 17:35:02 +0000 The New York Attorney General has inquired about Zoom's data security strategy, as the conferencing platform comes under heavy scrutiny for its privacy policies.
Phish of GoDaddy Employee Jeopardized Escrow.com, Among OthersWed, 01 Apr 2020 03:30:46 +0000 A spear-phishing attack this week hooked a customer service employee at GoDaddy.com, the world's largest domain name registrar, KrebsOnSecurity has learned. The incident gave the phisher the ability to view and modify key customer records, access that was used to briefly hijack domains for a half-dozen GoDaddy customers, including transaction brokering site escrow.com.
Annual Protest to ‘Fight Krebs’ Raises €150K+Mon, 30 Mar 2020 17:42:52 +0000 In 2018, KrebsOnSecurity unmasked the creators of Coinhive -- a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals -- as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means "cancer" in German). This week, the forum is celebrating its third annual observance of that protest to "fight Krebs," albeit with a Coronavirus twist.
Russians Shut Down Huge Card Fraud RingThu, 26 Mar 2020 17:28:07 +0000 Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.