Cybersecurity News V. 2.06 – SpiceJet data breach, Huge leak of payment cards, Avast failure
The new ransomware threat which is called Snake (EKANS)
A new ransomware dubbed Snake was recently discovered. It not only encrypts data on infected machines but also removes all file copies to prevent recovery. Snake is written on Golang and is heavily obfuscated. It removes Shadow Volume Copies and kills processes related to SCADA, ICS, virtual machines and other systems. Then, it proceeds with encryption and adds 5 random characters to file extensions. It also appends its hex marker “EKANS” to each encrypted file. Deep analysis of the ransomware revealed that it makes use of ICS-specific malware variants (like Havex and CRASHOVERRIDE). No free decryption for this ransomware has been found yet.
Wawa customers card data for sale
Discovered in December 2019, a security flow in Wawa Inc. lead to a leak of almost 30 million of payment cards. In 2020, that data surfaced on the dark web. Joker’s Stash store claims to have the data of stolen payment cards, which is sold in batch called BIGBADABOOM-III (with one European and three US parts). BIGBADABOOM-III contains 30 million TR1+TR2 dumps from more than 40 US states. Wawa representatives said that they already alerted their payment card processor, payment card brands, and card issuers to enforce anti-fraud activities to prevent further damage to the customers. They also added that they are absolutely confident that information like PIN or CVV2 was not affected by the breach.
Zoom Meeting IDs problem patched
There was a security flaw in Zoom that would allow anyone to join an active meeting by brute-forcing the Meeting ID. It was possible if the organizer had not enabled a meeting password or a waiting room. Zoom implemented additional security measures like passwords by default and some additional protection against brute-force, so the attack is no longer possible.
ShadowPad targets Hong Kong universities
Two Hong Kong universities suffered from the attacks by a new variant of ShadowPad backdoor. Previously, Winnti malware had been also found there. University names were found in C&C URLs, which means that the campaign was highly targeted. A new 32-bit ShadowPad launcher was used. The new version of the malware is not WMprotect obfuscated and seems to be a more simple version of the previous one.
Avast suffers from reputational damage
Avast anti-virus is forced to shut down its subsidiary Jumpshot after it was revealed that the company sold anonymized user data to tech giants. Avast stated that the initial goal of Jumpshot was to provide marketers with analytics and statistics on customer purchasing habits and that users can control their privacy in the settings.
SpiceJet breach
More and more companies suffer from data breaches. The system passwords of SpiceJet, an Indian airline, were brute-forced by white hats. As a result, they obtained an encrypted database backup file with data of 1.3 million passengers of the airline. Records included names, phone numbers, email addresses, and birth dates. SpiceJet couldn’t provide a reasonable response. However, CERT-In, an Indian government computer emergency response team, confirmed the breach later.
Major Facebook data partner LiveRamp compromised
LiveRamp, a marketing giant with privileged access to Facebook advertising accounts, was compromised. Hackers had obtained a personal account of one of the company’s employees and accessed the Business Manager account. They ran a series of ads on LiveRamp's customer accounts on Facebook. One of the ads got more than 60,000 views and directed users to a page designed to steal credit card numbers. Facebook has a set of security recommendations for business accounts but doesn’t enforce them.
TA505 brand new phishing campaign
A new phishing campaign was reported by Microsoft. The campaign uses HTML redirectors attached to emails leading to the download of an infected Excel file. The file isn’t available in preview mode, so victims are forced to download and open it. The machines which downloaded the malicious file are tracked with an IP traceback service. The malware also tries to drop a remote access trojan (RAT) known as GraceWire.
