AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/27/2020

Ginp Mobile Banker Targets Spain with “Coronavirus Finder” Lure

In today’s deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. They prey on the anxiety generated by the massive spread of the virus and launch on infected devices a page claiming to show the location infected people nearby for a small fee. The purpose is to make victims provide payment card data in the hope of learning how close they are to infected individuals. It’s a particularly heinous campaign because it targets users in Spain, a country that’s been hit hard by the new coronavirus: close to 3,000 people died from the virus and almost 40,000 are infected.


TrickBot Bypasses Online Banking 2FA Protection via Mobile App

The TrickBot​​​​​ gang is using a malicious Android application they developed to bypass two-factor authentication (2FA) protection used by various banks after stealing transaction authentication numbers. The Android app dubbed TrickMo by IBM X-Force researchers is actively being updated and it is currently being pushed via the infected desktops of German victims with the help of web injects in online banking sessions. TrickBot’s operators have designed TrickMo to intercept a wide range of transaction authentication numbers (TANs) including one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes after victims install it on their Android devices.


This team wants to teach your kids cybersecurity while they’re home from school

Coronavirus-related school closures are skyrocketing, leaving parents scrambling to educate their children while still juggling their jobs. It’s a challenging and confusing time — and Jonathan Slater and Lorna Armitage think they have something that might hold kids’ interest: a free online learning platform that teaches them about cybersecurity. The virtual “Cyber School,” slated to launch next Monday, plans to host daily 45-minute livestreams focused on topics including an introduction to coding and algorithms, online safety, ethical hacking and social engineering.


HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours

Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied. The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running. The current issue affects drives in HPE server and Storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage.


Three More Ransomware Families Create Sites to Leak Stolen Data

Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. Ever since Maze created their “news” site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow. Over the past two days, BleepingComputer has learned of another three ransomware families who have now launched their data leak sites, which are listed below.


Fired Americans Send Unemployment Websites Crashing Down

When Aaron Garza was dismissed this week from his job as a parts specialist at a Toyota dealership in Grand Rapids, Michigan, he joined a tidal wave of unemployed people swamping systems to help them and straining state finances to the breaking point. On Monday, Garza went to Michigan’s unemployment website and tried logging on to apply for benefits electronically. After 30 minutes, he was able to sign on, but by the time a verification code was sent to his phone 25 minutes later, he had already given up. As of Tuesday afternoon, he still hadn’t been able to get through.


Coronavirus: S’pore Government to make its contact-tracing app freely available to developers worldwide

In a move to help the international community combat the coronavirus pandemic, the Government will be making the software for its contact-tracing application TraceTogether, which has already been installed by more than 620,000 people, freely available to developers around the world. In a Facebook post on Monday (March 23), Minister-in-charge of the Smart Nation Initiative Vivian Balakrishnan said that the app, developed by the Government Technology Agency (GovTech) and the Ministry of Health, will be open-sourced. This means that the software’s source code will be made freely available and may be redistributed and modified.


Cyber insurer Chubb says data stolen in Maze ransomware attack

Chubb, a major cybersecurity insurance provider for businesses hit by data breaches, has itself become a target of a data breach. The insurance giant told TechCrunch it was investigating a “security incident” involving the unauthorized access to data belonging to an unnamed third-party. Chubb spokesperson Jeffrey Zack said the company had “no evidence” the incident affected Chubb’s own network and that its network “remains fully operational.” But the spokesperson declined to comment further or answer any of our questions, including if its customers were affected.


Mexico’s economy ministry hit by cyber attack

Mexico’s economy ministry detected a cyber attack on some of its servers on Sunday but did not consider sensitive information to have been compromised, and beefed up safety measures, it said in a statement. It was the second high-profile cyber attack on the Mexican government after hackers demanded $5 million in bitcoin from national oil company Pemex last November, forcing it to shut down computers nationwide. Providers have been asked to temporarily isolate networks and servers, the ministry said on Monday, adding that the processing of some forms would be temporarily suspended to protect their legal status.


Hackers are messing with routers’ DNS settings as telework surges around the world

Personal Wi-Fi routers have long been a cybersecurity weak point, which is a growing concern as the COVID-19 pandemic forces people to work from home. According to new BitDefender research, criminals have moved quickly to manipulate these routers in a wide swath of countries in Europe, as well as in the United States. Attackers have begun changing Domain Name System (DNS) settings in Linksys routers, pointing users to what they believe is a legitimate website that also includes a pop-up message with information about the pandemic. However, once a user clicks through, a fake coronavirus-related app may be downloaded containing malware that can perform a host of nefarious activities, according to Liviu Arsene, a global cybersecurity researcher at BitDefender.


Namecheap blocks registration of domains with ‘coronavirus’ and ‘vaccine’ in the name

Domain registrar Namecheap on Wednesday said it would no longer be accepting any new domain applications including the words “coronavirus,” “covid,” and “vaccine,” among other versions of words and phrases alluding to the ongoing COVID-19 pandemic. The Los Angeles-based company says the measure is to prevent abuse and fraud from sites trying to hawk fake products and misinformation and otherwise capitalize on the ongoing global health crisis. “There are always those who try to take advantage of crisis situations by carrying out acts of fraud. In response, we are actively working with authorities to both proactively prevent, and take down, any fraudulent or abusive domains or websites related to COVID-19,” the company writes in its statement, which it emailed to customers earlier today.

Related Posts