Weekly Cybersecurity Roundup #14
“I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually ‘Nothing; you’re screwed.” – Bruce Scheneier
Iranian cyberspies leave training videos exposed online
One of Iran’s top hacking groups (APT35) has left a server exposed online where security researchers say they found a trove of screen recordings showing the hackers in action.
Discovered by IBM’s X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits.
According to X-Force analysts, the videos were recorded with a screen-recording app named BandiCam, suggesting they were recorded on purpose and not accidentally by operators who got infected by their own malware.ZDNet
Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover
Less than 500 machines have been patched since U.S. Cyber Command issued an alert to patch a critical bug that’s under active exploit.
About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.
The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.
At the end of June, F5 issued urgent patches for a critical RCE flaw (CVE-2020-5902), which is present in the Traffic Management User Interface (TMUI) of the company’s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan showed that there were almost 8,500 vulnerable devices exposed on the internet.ThreatPost
Emotet botnet returns after a five-month absence
Emotet, 2019’s most active cybercrime operation and malware botnet, has returned to life today with new attacks, ZDNet has learned.
Prior to today’s attacks, Emotet stopped all activity on February 7, Sherrod DeGrippo, Senior Director Threat Research at Proofpoint, told ZDNet in an email today.
The botnet, which runs from three separate server clusters — known as Epoch 1, Epoch 2, and Epoch 3 — is spewing out spam emails and trying to infect new users with its malware payload.
“Today’s campaign so far has recipients primarily in the US and UK with the lure being sent in English,” DeGrippo said.ZDNet
Twitter Hack Update: What We Know (and What We Don’t)
With limited confirmed information, a raft of theories and circumstantial evidence has come to light as to who was behind the attack and how they carried it out.
Earlier this week, Twitter locked down thousands of verified accounts, including the accounts of Joe Biden, Bill Gates, Elon Musk, Apple, Uber and others, after it became clear that hackers had been able to compromise them. The tip-off? Suddenly these high-profile accounts were all tweeting out identical links to a cryptocurrency scam.
But what exactly happened? As Threatpost reported on Wednesday, Twitter’s internal investigation is ongoing, but the social-media giant did say that hackers had somehow compromised the company’s internal systems and secured employee privileges. Beyond that, a raft of sources are offering bits and pieces of the puzzle – some verified, some not.ThreatPost
Russian Hackers Are Trying To Steal COVID-19 Vaccine Research: US, UK, Canada
Russian hackers have been accused of stealing COVID-19 vaccine research data from medical organizations involved in its development. These allegations were made by US, UK, and Canadian security officials citing the Russian hacking group called APT29 (alias: “The Dukes” or “Cozy Bear”) behind it.
An advisory published by the UK’s National Cyber Security Centre (NCSC), says, “APT29’s campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property.”FossBytes
Orange Business Services hit by Nefilim ransomware operators
Researchers from Cyble came across a post of Nefilim ransomware operators which were claiming to have stolen sensitive data of Orange S.A., one of the largest mobile networks based in France.
The discovery was made by the experts during their regular Deepweb and Darkweb monitoring activity.
Orange S.A. is a French multinational telecommunications corporation founded in 1988. The telco operator has 266 million customers worldwide and employs 89,000 people in France, and 59,000 abroad. The company is currently the tenth-largest mobile network operator in the world and the fourth largest in Europe.
According to Cyble, the hackers claim to have compromised the Orange Business Solutions, a subsidiary of Orange S.A,. and have published a portion of the sensitive data as proof of the attack.
Orange confirmed to BleepingComputer that the Orange Business Services division was victim of a ransomware attack on the night of Saturday, July 4th, 2020, into July 5th. The gang gained access to twenty Orange Pro/SME customers’ data.Security Affairs
Cloudflare outage takes down Discord, BleepingComputer, and other sites
Cloudflare is having an outage that is affecting many sites including Discord, BleepingComputer, and others. It is not known what is causing the outage, but users will not be able to connect to the sites depending on the region you are located.
At this time, there has been no public statement from Cloudflare regarding the outage and the only way I knew about it was that I couldn’t access BleepingComputer.com.
Other affected sites include Riot, Gitlab, Patreon, Auth, and ironically Downdetector.Bleeping Computer
New Android Malware Now Steals Passwords For Non-Banking Apps Too
Cybersecurity researchers today uncovered a new strain of banking malware that targets not only banking apps but also steals data and credentials from social networking, dating, and cryptocurrency apps—a total of 337 non-financial Android applications on its target list.
Dubbed “BlackRock” by ThreatFabric researchers, which discovered the trojan in May, its source code is derived from a leaked version of Xerxes banking malware, which itself is a strain of the LokiBot Android banking trojan that was first observed during 2016-2017.
Chief among its features are stealing user credentials, intercepting SMS messages, hijacking notifications, and even recording keystrokes from the targeted apps, in addition to being capable of hiding from antivirus software.The Hacker News