Ransomware Attack Takes Down Toll Group Systems, Again

Australian transportation and logistics giant Toll Group has been hit by a ransomware attack – for the second time in three months. The company said a relatively new form of ransomware known as Nefilim had targeted its systems. Toll Group, a subsidiary of Japan Post Holdings, is a freight and...

Attackers Claim Identity of Financial NGO to Steal Sharepoint, Office Credentials

A new phishing campaign is targeting investment brokers with fraudulent emails aimed at stealing their Microsoft SharePoint and Office credentials, by invoking the identity of a credible financial regulatory organization. The “widespread, ongoing phishing campaign” is using emails that claim to b...

Spear-Phishing Attack Spoofs EE To Target Executives

Researchers warn of an ongoing spear-phishing attack mimicking a well-known telecommunications company, EE, to snatch up corporate executives’ credentials and payment details. Highly targeted emails have been sent to a few executives – including one at a leading financial firm – purporting to be...

VPN Concerns with Unplanned Remote Employees

The volume of employees working from home is steadily increasing, especially as local recruiting limits the number of skilled people. This along with the current state of coronavirus means that throughout the world, spikes in work-from-home policies are putting pressure on IT teams to scale virtu...

GoDaddy Hack Breaches Hosting Account Credentials

UPDATE GoDaddy, the world’s largest domain name registrar, is warning customers that attackers may have obtained their web hosting account credentials. An “unauthorized individual” was able to access users’ login details in an intrusion that the company said took place back in October — the compa...

New Kaiji Botnet Targets IoT, Linux Devices

A new botnet has been infecting internet of things IoT devices and Linux-based servers, to then leverage them in distributed denial-of-service DDoS attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today. Kaiji, which wa...

Google Android RCE Bug Allows Attacker Full Device Access

Google has patched a vulnerability in its Android OS that could allow attackers to completely take over someone’s device to install programs, steal or change data, or create new accounts with full privileges. The flaw CVE-2020-0103 was one of 39 vulnerabilities affecting Android OS builds that us...

Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems

The aircraft safety system known as the Traffic Alert and Collision Avoidance System TCAS can be coerced into sending an airplane on a mid-air rollercoaster ride – much to the horror of those onboard. Researchers were able to cobble together an effective method for spoofing the TCAS using a $10...

Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

Hackers targeted the publishing platform Ghost over the weekend, launching a cryptojacking attack against its servers that led to widespread outages. The attack stemmed from the exploit of critical vulnerabilities in SaltStack, used in Ghost’s server management infrastructure. Ghost is a free,...

Oracle: Unpatched Versions of WebLogic App Server Under Active Attack

Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month. Oracle WebLogic Server is a popular application server used in...

Upgraded Cerberus Spyware Spreads Rapidly via MDM

A newly discovered variant of the Cerberus Android trojan has been spotted, with vastly expanded and more sophisticated info-harvesting capabilities, and the ability to run TeamViewer. It was spotted by researchers being used in a targeted campaign on a multinational conglomerate. Unusually, the...

News Wrap: Microsoft Sway Phish, Malicious GIF and Spyware Attacks

Threatpost editors Tom Spring, Tara Seals and Lindsey O’Donnell-Welch talk about the biggest news stories of the week ended May 1, including: A “PhantomLance” espionage campaign discovered targeting specific Android victims, mainly in Southeast Asia — which could be the work of the OceanLotus APT...

Microsoft Teams Impersonation Attacks Flood Inboxes

A convincing cyberattack that impersonates notifications from Microsoft Teams in order to steal the Office 365 credentials of employees is making the rounds, according to researchers. Two separate attacks have targeted as many as 50,000 different Teams users, according to findings from Abnormal...

TrickBot Attack Exploits COVID-19 Fears with DocuSign-Themed Ploy

Threat actors are using people’s interest in the Department of Labor’s Family and Medical Leave Act FMLA to spread what appears to be the TrickBot trojan in a new spam campaign that security researchers discovered recently. Recent analysis from spam honeypots set by IBM X-Force discovered actors...

Microsoft Sway Abused in Office 365 Phishing Attack

A highly targeted phishing campaign, with a Microsoft file platform twist, has successfully siphoned the Office 365 credentials of more than 150 executives since mid-2019. Researchers attribute the campaign’s success to two parts: First, it leverages multiple Microsoft file-sharing services to...

Salt Bugs Allow Full RCE as Root on Cloud Servers

The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently. According to F-Secure researchers, the framework, authored by...

Building for Billions: Addressing Security Concerns for Platforms at Scale

Security operations once consisted of a multitude of manual operations based around alerts, thresholds and severity levels. As systems scale and platforms continue to grow, how do you keep up with the growing requirements to secure these transactions and the networks they are built upon?...

New Android Malware Targets PayPal, CapitalOne App Users

An Android mobile malware has been uncovered that steals payment data from users of popular financial apps like PayPal, Barclays, CapitalOne and more. The infostealer, called EventBot, has targeted users of more than 200 different banking, money-transfer services and general cryptocurrency wallet...

Shade Threat Actors Call It Quits, Release 750K Encryption Keys

The threat actors behind the Shade ransomware have called it quits, releasing 750,000 encryption keys on GitHub and publicly apologizing to victims affected by the malware. User “shade-team” posted four files on the code repository earlier this week, one containing the file keys and four “ReadMe”...

Critical WordPress e-Learning Plugin Bugs Open Door to Cheating

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more. The...

High-Severity Cisco IOS XE Flaw Threatens SD-WAN Routers

Cisco has patched a high-severity vulnerability in its router software, which if exploited could enable a local, authenticated attacker to execute arbitrary commands with root privileges. The flaw exists in Cisco IOS XE. This Linux-based version of Cisco’s Internetworking Operating System IOS is...

Millions of Brute-Force Attacks Hit Remote Desktop Accounts

A rash of brute-forcing attempts aimed at users of Microsoft’s proprietary Remote Desktop Protocol RDP has come to light, striking millions per week. The attacks are a likely offshoot of cybercriminals looking to take advantage of the unprecedented numbers of employees working from home amid the...

ThreatList: Human-Mimicking Bots Spike, Targeting e-Commerce and Travel

Bad bots, bad bots, whatcha gonna do? Target e-commerce, the travel industry, media and online marketplaces, that’s what. Those are the top four verticals attacked by bots in the last year, according to data released on Wednesday from Radware, with e-commerce accounting for the most activity. In...

Critical GitLab Flaw Earns Bounty Hunter $20K

A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award. The flaw was reported to GitLab by software developer William Bowling via the HackerOne bug bounty platform on March 23. It was then disclosed...

EFF: Google, Apple's Contact-Tracing System Open to Cyberattacks

Privacy advocates are urging developers to proceed with caution as they use technology released by Apple and Google to build COVID-19 contact-tracing apps — and are warning against the potential for cybercriminal use. On the latter point, the system is meant to help people know if they have come...

Enterprise Security Woes Explode with Home Networks in the Mix

The work-from-home WFH paradigm that has become the new normal in the age of coronavirus comes with exacerbated network security risk – as evidenced by growing a number of botnets and automated attacks that are taking advantage of known vulnerabilities in both consumer and corporate IT gear. The...

‘Black Rose Lucy’ is Back, Now Pushing Ransomware

Cybercriminals behind the Android-based dropper malware Black Rose Lucy have shifted attacks from info-stealing to ransomware – with a sextortion twist. The malware family, operated by the Lucy Gang, encrypts targeted Android devices and delivers a spoofed FBI message. The ransom note claims the...

Critical Adobe Illustrator, Bridge and Magento Flaws Patched

Adobe is warning of critical flaws in Adobe Bridge, Adobe Illustrator and the Magento e-commerce platform. If exploited, the most severe vulnerabilities could enable remote code execution on affected systems. Adobe’s out-of-band security update, released on Tuesday, addressed vulnerabilities tied...

Hackers Leak Biopharmaceutical Firm's Data Stolen in Ransomware Attack

The Clop ransomware group attacked biopharmaceutical company ExecuPharm and reportedly leaked some of the company’s compromised data on underground forums. ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, provides clinical trial management tools for...

WordPress Plugin Bug Opens 100K Websites to Compromise

A high-severity cross-site request forgery CSRF vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site. According to research from Wordfence releas...

Sophisticated Android Spyware Attack Spreads via Google Play

A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat APT actor, researchers said this week. Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of ap...

Troves of Zoom Credentials Shared on Hacker Forums

Hackers have a new favorite topic of conversation on underground forums: How to obtain – and leverage – valuable credentials for Zoom, Skype, Webex and other web conferencing platforms increasingly used by remote workers. That’s what Etay Maor, chief security officer at IntSights, has discovered...

GDPR Compliance Site Leaks Git Data, Passwords

A website that gives advice on privacy regulation compliance has fixed a security issue that was exposing MySQL database settings — including passwords — to anyone on the internet. The website, GDPR.EU, is an advice site for organizations that are struggling to comply with the General Data...

Hackers Mount Zero-Day Attacks on Sophos Firewalls

Attackers have been targeting the Sophos XG Firewall both physical and virtual versions using a zero-day exploit, according to the security firm – with the ultimate goal of dropping the Asnarok malware on vulnerable appliances. Sophos said in a posting updated on Monday that the bug in question i...

U.S. Universities Hit With 'Adult Dating' Spear-Phishing Attack

Several U.S. universities have been targeted in a widespread spear-phishing attack that uses adult dating as a lure. In reality, the emails spread the Hupigon remote access trojan RAT, known to be leveraged by state-sponsored threat actors. Researchers from Proofpoint warned that the ongoing...

Eight Common OT / Industrial Firewall Mistakes

Most industrial sites deploy firewalls as the first line of defense for their Operations Technology OT / industrial networks. However, configuring and managing these firewalls is a complex undertaking. Configuration and other mistakes are easy to make. This article explores eight common mistakes...

Single Malicious GIF Opened Microsoft Teams to Nasty Attack

Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts. The attack simply...

SAS@Home Virtual Summit Showcases New Threat Intel, Industry Changes

As the COVID-19 pandemic continues to force in-person cybersecurity event cancellations, Kaspersky is forging ahead with a virtual security summit, SAS@home. Topics on the agenda include threat intel on advanced persistent threats APTs, new vulnerability research, and topics related to a...

Latest Apple Text-Bomb Crashes iPhones via Message Notifications

Apple devices are vulnerable to a “text bomb” attack where simply looking at messages or posts containing characters in the Sindhi language can crash devices. Sindhi is an official language used in Pakistan. The bug affects iPhone, iPad, Macs and Apple Watches, and arises from macOS and iOS faili...

News Wrap: Nintendo Account Hacks, Apple Zero Days, NFL Security

For the week ended April 24, Threatpost editors discuss the hottest cybersecurity news stories, including: Apple zero days disclosed in the iPhone iOS that researchers say have been exploited for years. Meanwhile, Apple has pushed back and said there’s no evidence to support such activity. Ninten...

Nintendo Confirms Breach of 160,000 Accounts

Nintendo said over 160,000 accounts have been hacked, due to attackers abusing a legacy login system. Over the past few weeks, Nintendo gamers have been reporting suspicious activities on their accounts. According to the complaints, aired out on Twitter and Reddit, unauthorized actors were loggin...

Apple Pushes Back Against Zero-Day Exploit Claims

Apple has pushed back against claims that two zero-day bugs in its iPhone iOS have been exploited for years, saying it’s found no evidence to support such activity. Apple officials made the statement in response to a widely disseminated report published Wednesday by ZecOps, which claimed that two...

Valve Confirms CS:GO, Team Fortress 2 Source-Code Leak

The discovery of leaked source code for two popular games – Counter-Strike: Global Offensive CS:GO and Team Fortress 2 – has led to security concerns and even calls for gamers to uninstall the software from their computers. The developer and publisher of the two games, Valve, is downplaying the...

Public Sector Ransomware Attacks Rage On: Can Your Organization Repel Them?

To pay or not to pay? That is the question many public-sector organizations must grapple with when faced with a complex ransomware attack – even while the COVID-19 pandemic rages on around them. Ransomware attacks to municipal, local, and state government agencies are on the rise. Places as...

WHO, CDC and Bill and Melinda Gates Foundation Victims of Credential Dump, Report

Unknown threat actors have allegedly dumped nearly 25,000 email addresses and passwords from notable organizations involved in the fight against the COVID-19 pandemic, including credentials from prominent health organizations. Hackers have been using information belonging to groups such as World...

A Dozen Nation-Backed APTs Tap COVID-19 to Cover Spy Attacks

Cybercriminals have seized on the novel coronavirus as a theme in their attacks, and it turns out that the most sophisticated players on that scene are no exception. According to Google’s Threat Analysis Group TAG, more than a dozen nation-state-backed APTs are using the COVID-19 pandemic as a...

Skype Phishing Attack Targets Remote Workers' Passwords

Remote workers are being warned of a new phishing campaign targeting their Skype passwords. The phishing emails look “eerily similar” to a legitimate Skype notification alert, according to a report released by Cofense on Thursday. Emails indicate users have 13 pending Skype notifications that can...

Fake Skype, Signal Apps Used to Spread Surveillanceware

Cybercriminals are increasingly peddling booby-trapped version of popular apps such as Skype and Signal that contain surveillanceware. Apurva Kumar, security intelligence engineer at Lookout, said that one such surveillanceware family that’s been spotted using this tactic is Monokle, a...

Fast-Moving DDoS Botnet Exploits Unpatched ZyXel RCE Bug

A new variant of the Hoaxcalls botnet, which can be marshalled for large-scale distributed denial-of-service DDoS campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed last month. That’s according to researchers at Radware, who also sa...

Apple Patches Two iOS Zero-Days Abused for Years

Update Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads. Impacted are iOS 6 and iOS 13.4.1. Apple patched both vulnerabilities in iOS 13.4.5 beta, released last week. A final release of iOS 13.4.5 is expected soon. Both...