CYBERSECURITY NEWS V. 05.14 – Critical flaws in top VPN, 73.2 million records hit dark web

Snake ransomware returns

After a few months of silence, the Snake ransomware operators have launched a worldwide campaign infecting numerous businesses. Fresenius Group, Europe's largest hospital provider, has become one of its victims. Snake claims to steal unencrypted files before encrypting computers on a network, which is a common tactic for many ransomware attacks today. Thus, all affected companies should treat ransomware attacks as data breaches. To mitigate the risks, it is strongly recommended to perform IT security checks and regular security audits.

Samsung six years old bug fixed

Samsung has released a security update for its Android devices fixing a vulnerability that affects all Samsung smartphones produced since 2014. Found in the image codec library, the bug allows overwriting device memory and remote code execution. A successful attack would require sending approximately 50-300 MMS messages to bypass the built-in Android security measures. Like any other complex code, the code that handles QMG files requires a thorough cybersecurity audit to avoid critical flaws.

Cryptocurrency miner hits Windows machines

A new threat to Windows machines was found. Red Canary reports on a cluster of activity involving Monero crypto-mining payloads dubbed Blue Mockingbird. The payload is distributed in the DLL form on Windows computers. In at least two cases, it exploited public-facing web applications that implemented versions of Telerik UI for ASP.NET AJAX vulnerable to CVE-2019-18935 (deserialization). To mitigate such issues, it is advised to check the security of web servers and applications, which can be a part of a cybersecurity audit (and its various forms, like red teaming).

Critical flaws in top VPN services

Critical vulnerabilities in the popular VPN apps PrivateVPN and Betternet allowed hackers to download and install fake updates. Thus, hackers could infect user devices with any kind of malware to steal sensitive information, install crypto-miners, or makes devices part of botnets. The vendors have fixed these issues, and the applications no longer accept unverified update files. Nevertheless, this case shows the importance of Wi-Fi security checks and penetration testing to ensure that all connections are secure.

Massive botnet goes down

A botnet named Cereals has been around for almost eight years. It exploited only one vulnerability in D-Link network video recorders and network-attached storage devices. The botnet reached its peak with 10,000 bots in 2015. Today, as the vulnerable and obsolete D-Link devices are being replaced, Cereals slowly disappears. Despite its relatively sophisticated setup, its sole purpose was to download Anime videos, so it appears to be merely a hobby project.

Over 73 million user records hit dark web

A dark web hacking marketplace has been recently swamped with stolen databases. In just a week, a group called Shiny Hunters has shared user records from giants like Tokopedia (Indonesian online store) and Unacademy (Indian e-learning platform). The group even claimed to have gained access to the Microsoft GitHub account. The total amount of stolen records reaches 73.2 million, which is a result of eleven separate data breaches. Web application security issues can result in leaks like these, so it is strongly recommended to perform web application security assessments and timely update online service passwords.

Thunderbolt flaws expose PCs

Recently found hardware vulnerabilities affect all PCs with Thunderbolt manufactured before 2019. With just physical access and some hands-on hardware, an attacker can access all data on a locked, password-protected device in under 5 minutes. The authors of the Intel cybersecurity blog state that major operating systems have implemented necessary Kernel Direct Memory Access (DMA) protection. Unfortunately, this flaw cannot be patched with software, and the only way to avoid attacks on older systems is to disable Thunderbolt ports via BIOS.

Sodinokibi encrypts more files than ever

Sodinokibi (REvil) is now able to terminate processes and services that lock open files during encryption. To do that, Sodinokibi uses the Windows Restart Manager API, which is also used in the decryptor. On the one hand, this means that the process of decrypting files will be easier after paying a ransom. On the other hand, this development allows the ransomware to encrypt even more files. Security analysis shows that malware like SamsSam and LockerGoga also utilize the Windows Restart Manager API.