CYBERSECURITY NEWS V. 29.10 – Attackers donate stolen money, GeForce Experience vulnerabilities, GravityRAT

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Ransomware gang donates stolen money to charities

The Darkside hacker group has donated $ 20,000 of extorted money to charities. They released receipts for two donations of 0.88 BTC (about $ 10,000) to The Water Project and Children International. However, when a donation comes from criminal proceeds, the law requires to reject it. Both charities have said that they will not accept BTC donations, although they have no way to return them. Darkside used a cryptocurrency mixing service, which makes the donations untraceable. Darkside appeared in August 2019; the group uses typical ransomware schemes. They claim only to attack large profitable companies and not hospitals, schools, or governments.

hexway commentary:

Are they the new Robin Hoods? No.

Are they criminals who create and distribute ransomware? Yes.

Will The Water Project and Children International cancel the payment? Obviously, yes.

The only way for hacker gangs to be useful is to surrender, serve time, get out of jail, get the GED, and start making money with a printer cartridge company.

News FYI

Nvidia fixes severe GeForce Experience vulnerabilities

Nvidia has patched three vulnerabilities in GeForce Experience, which could result in arbitrary code execution, privilege escalation, information disclosure, or provoke a denial of service (DoS). The most severe of the three is CVE-2020‑5977, which scored 8.2 on the CVSS scale. The bug is found in NVIDIA Web Helper NodeJS Web Server, where an uncontrolled search path is used. It could lead to privilege escalation and arbitrary code execution. The second bug, CVE-2020-5990 (rated 7.3), was found in the ShadowPlay component and could also be used for privilege escalation, denial of service, and information disclosure. The third one, CVE-2020-5978 (rated 3.2), was found in the nvcontainer.exe service and could result in privilege escalation and denial of service. Users are advised to update GeForce Experience to version 3.20.5.70 as soon as possible.

Google Chrome patches actively exploited 0-day

Google has released an update for Google Chrome (86.0.4240.111) that fixes an actively exploited zero-day vulnerability in the browser (CVE-2020-15999). It is a heap buffer overflow found in the FreeType font rendering library, which comes with standard Chrome distributions. Project Zero Team Leader Ben Hawkes has urged other vendors using the library to update their software. With this update, Google has also patched four other bugs (CVE-2020-16000; CVE-2020-1600; CVE-2020-16002; CVE-2020-16003).

GravityRAT Windows malware now attacks Android and macOS

GravityRAT, a Trojan known for attacking Windows systems, can now infect Android and macOS devices. Supposedly developed by a Pakistani cybercriminal group, it has existed since at least 2015 and is used in targeted attacks against India's military organizations. Researchers found an updated RAT sample in Android spyware. In total, more than 10 versions of the malware were detected; they are disguised as legitimate file sharing apps or media players. They can exfiltrate data and communicate with the nortonupdates [.] C&C server, which is also used by other malware (Enigma and Titanium). Malicious apps download the GravityRAT payload from the C&C server and add a scheduled task to the infected device to preserve persistence.

Barnes & Noble attacked by Egregor ransomware

Barnes & Noble, the largest book retailer in the United States with over 600 stores, was attacked by the Egregor ransomware on October 10. The company has officially confirmed the incident, in which the attackers gained access to its corporate systems. Egregor operators took responsibility for the attack and admitted to stealing financial and audit data. First, they hijacked the domain administrator account; then, they accessed the company's network and encrypted the network devices. On its darknet website, the group has posted files allegedly stolen from Barnes & Noble.