AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/25/2020

Elite hackers target WHO as coronavirus cyberattacks spike

Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks. WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear and the effort was unsuccessful. But he warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.


400,000 new people have joined Folding@Home’s fight against COVID-19

The Folding@Home community has turned its attention toward the fight against COVID-19, and it now has massive computational power at its disposal as a result. The distributed computing project is now working with about 470 petaflops of output in its quest to fold proteins, or enough to eclipse the world’s top seven supercomputers combined. That’s more than twice the 149 petaflops of sustained output from the record-setting Summit supercomputer — helped in part by the Summit team joining the project over two weeks ago. There’s been a roughly 1,200 percent increase in contributors, Folding@Home said, with 400,000 new members in the past two weeks.


HHS.gov Open Redirect Used by Coronavirus Phishing to Spread Malware

An HHS.gov open redirect is currently being used by attackers to push malware payloads onto unsuspecting victims’ systems with the help of coronavirus-themed phishing emails. Open redirects are web addresses that automatically redirect users between a source website and a target site, and are regularly used by malicious actors to send their targets to phishing landing pages or to deliver malware payloads under the guise of legitimate services. HHS.gov is the website of the U.S. Department of Health & Human Services which makes this specific open redirect the perfect tool to lure in potential victims.


Inside an Instagram Celebrity Hacking Campaign

“Hello. We just hacked your account,” the text message read. The hackers had just taken over the Instagram account of an adult entertainment star with nearly two million followers, and were now asking her for $5,000 to hand the account back to its owner, according to screenshots of the messages obtained by Motherboard. The adult entertainment star didn’t want to pay, and her friend asked for help from a white hat hacker in Los Angeles who protects celebrities from hacking, stalking, and other digital threats. The white hat said they managed to regain access to the account through contacts at Instagram, but not before they discovered which hackers were behind the extortion attempt.


Coronavirus-Themed Document Targets Brazilian Users

During the ongoing COVID-19 outbreak, threat actors are leveraging different techniques to infect victims around the world. ThreatLabZ researchers came across an attack vector used in the wild on March 19 with a very low detection rate. This attack vector consists of a macro-based PowerPoint file (PPS format) that uses multiple stages to infect the system. The name of the PowerPoint file is in Portuguese and the file was uploaded to VirusTotal from Brazil. Based on this, we suspect that the attack was targeting Brazilian users. The file claims to include a list of hotels and inns that are infected by the coronavirus. The name of the file is used for social engineering purposes. When the user opens the file, it downloads the malicious content disguised with an MP3 file extension.


Fake Corona Antivirus Software Used to Install Backdoor Malware

Sites promoting a bogus Corona Antivirus are taking advantage of the current COVID-19 pandemic to promote and distribute a malicious payload that will infect the target’s computer with the BlackNET RAT and add it to a botnet. The two sites promoting the fake antivirus software can be found at antivirus-covid19[.]site and corona-antivirus[.]com as discovered by the Malwarebytes Threat Intelligence team and researchers at MalwareHunterTeam, respectively. While the former was already taken down since Malwarebytes’ report, the one spotted by MalwareHunterTeam is still active but it had its contents altered, with the malicious links removed and a donation link added to support the scammers’ efforts — spoiler alert, no donations were made until now.


Scammers tried using kids apps in the Google Play store to generate cash

Fifty-six apps in Google’s Play store included malicious software that leveraged victims’ devices to click on mobile advertisements, artificially inflating the traffic to those ads and helping scammers make money. Research published Tuesday by the security firm Check Point Technologies details how fraudsters used the network of apps, which were downloaded more than 1 million times, to exploit users’ trust and make a buck. Unlike so many other ad fraud efforts, this campaign was tailored toward children, with 24 of the 56 apps marketed towards kids. Entertainment apps and games with titles like “Cooking Delicious” and “Let Me Go,” a puzzle app, tempted kids into downloading, and then launched the malicious tool.


Firefox is dropping FTP support

Heads up, Firefox users who rely on FTP: the browser is eliminating support for this venerable protocol. First written in 1971, the file transfer protocol predates TCP/IP, the protocol stack that underpins the modern internet. In its original form, the protocol is insecure. For example, it transmits login credentials in plain text. In 1999, the IETF published a draft RFC listing its various shortcomings. These included everything from problems in the way it responded to invalid login attempts through to an inability to segment file permissions when using anonymous FTP (which doesn’t require user credentials at all).


ISPs to continue blocking graphic violent content in Australia

The federal government, through the Australian eSafety Commissioner, and the nation’s internet service providers (ISPs) have agreed on new protocols that would see the continued blocking of websites that host terrorist and graphic violent content. The agreement, according to Minister for Communications, Cyber Safety and the Arts Paul Fletcher, positions ISPs to block websites hosting graphic material that depict terrorist acts or violent crimes, in a bid to “stem the risk of its rapid spread as an online crisis event unfolds”. The protocol follows the eSafety Commissioner in September issuing a direction to the nation’s ISPs to continue blocking websites that host the video of the Christchurch terrorist attack, after the initial blocking period of six months had expired.


European mobile operators share data for coronavirus fight

Mobile carriers are sharing data with the health authorities in Italy, Germany and Austria, helping to fight coronavirus by monitoring whether people are complying with curbs on movement while at the same time respecting Europe’s privacy laws.  The data, which are anonymous and aggregated, make it possible to map concentrations and movements of customers in ‘hot zones’ where COVID-19 has taken hold. That is less invasive than the approach taken by countries like China, Taiwan and South Korea, which use smartphone location readings to trace the contacts of individuals who have tested positive or to enforce quarantine orders. In Germany, where schools and restaurants are closing and people have been told to work at home if they can, the data donated by Deutsche Telekom offer insights into whether people are complying, health czar Lothar Wieler said.

Related Posts