Cybersecurity News V. 1.16 – Vulnerable Windows, leaky Tinder, attacked UN

NSA shares information about Windows vulnerability

Microsoft security patch day revealed the information about the CVE-2020-0601 vulnerability. It exists in the way Microsoft's CryptoAPI (Crypt32.dll) validates the Elliptic Curve Cryptography certificates and affects Windows 10, Windows Server 2016, and Windows Server 2019. The vulnerability could be exploited by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The information about the vulnerability was provided by the US National Security Agency representatives who told it was found during a routine checkup. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring Federal agencies to patch their Windows systems within ten business days or remove them from their networks. There is no sign of exploitation of this vulnerability in the wild. As soon as the vulnerability was revealed, two exploits for it were released.

UN attacked with Emotet phishing malware

An attack with Emotet was performed against the email addresses associated with the users at the United Nations. Not so long ago Emotet attacks were used in spam campaigns all over the world. Once again, the threat arises. Previously, it was about faking accounting reports, delivery notices, and invoices. This time, the malware operators targeted the United Nations. The phishing campaign targeted 600 unique email addresses at the United Nations. An infected Microsoft Word document that pretended to be signed and sent by the Permanent Mission of Norway was attached to those emails. It is necessary to remember that when Emotet is installed on a machine, one of the malware payloads that is invariably installed is the TrickBot trojan. TrickBot will attempt to harvest data from the computer and to spread to other computers on the network. After TrickBot’s job is done, it opens a reverse shell back to the Ryuk Ransomware operators, who will proceed to infiltrate the network.

SIM swappers turn to RDP

Remote Desktop Protocol (RDP) software at telecom companies could be used by hackers to carry out SIM swapping attacks directly. Previously, such attacks involved social engendering and bribing telecom employees to perform SIM swaps. The new tactics use social engineering only to trick employees into giving access to RDP software. Once the attackers are in, they are able to make necessary changes themselves. The new technique is believed to be used against T-Mobile, AT&T, and Sprint. These telecom companies are fully aware of the threat and are trying to take necessary measures.

Dating and other apps accused of leaking sensitive data

Dating apps like Tinder, Grindr, and OkCupid along with some others have been accused of sending sensitive personal information to advertisers in a potential breach of the European data laws. An investigation conducted by the Norwegian Consumer Council (NCC) showed that these apps sent sensitive information to multiple advertising companies including Google, Facebook, and Twitter, as well as some lesser-known companies. The researchers examined 10 Android apps, which were found to be transmitting data to at least 135 third parties. Apps could share different types of information, including IP addresses and GPS data. This is a serious violation of data privacy laws in different countries.

Moreover, there was a leak of more than 70,000 photos of Tinder users shared on an online cyber-crime forum.

Ransomware and data breaches with new approach

Extortionists continue to steal data and dox those who refuse to pay a ransom. For instance, Southwire, a company based in Georgia, US, declined to pay the ransom and filed a lawsuit against Maze Ransomware for publishing their data. The main website of the hacker group was shut down, but they shifted their operations and posted 14.1 gigabytes of data including the data stolen from Southwire. Other ransomware operators might follow this practice as it gives them more leverage over their victims. Unfortunately, the victims have no way of knowing if the attackers will keep their word even after they've paid the ransom. Hackers could use the example set by Maze and Sodinokibi and publish stolen files on their websites.

Crime-fighting app caused phone hacks

The Exodus spyware was created by eServ to help law enforcement to get access to a device’s microphone, camera, stored files, and encrypted messages. With the help of Italian telecom companies, suspects would be tricked into downloading a seemingly harmless app that helps to fix network errors. Among others, it was used by the Italian foreign intelligence agency.
It was soon discovered that the employees of eServ used the company’s spyware to illegally hack hundreds of phones. Different versions of Exodus were created, for example, apps that were not spyware themselves (and this is why Google Play antivirus algorithms granted them access to the store) but were the gateways through which eSurv could place spyware onto a person’s phone. The investigation is still in progress.