CYBERSECURITY NEWS V. 4.09 – SuperVPN vulnerabilities, MS-SQL servers under attack
Vollgar campaign against MS-SQL servers
A Vollgar campaign aims to infect Windows machines running MS-SQL servers. It uses password brute-force to breach victim machines, deploys multiple backdoors, and executes malicious modules, like multifunctional remote access tools and cryptominers. The attacks has affected different industries, including healthcare, aviation, IT & telecommunications, and higher education. Due to the relatively small amount of MS-SQL servers, it is believed that the campaign aims to steal valuable information along with using their CPU power. It is recommended to enable logging in order to monitor and alert on suspicious, unexpected, or recurring login attempts and set strong passwords for MS-SQL user accounts.
Microsoft against ransomware
Microsoft Threat Protection Intelligence Team and Threat Intelligence Center issued some recommendations for healthcare organizations to protect them from widespread ransomware attacks. These necessary steps will help detect and prevent ransomware attacks and enhance overall security levels. They include applying every security update possible and constant monitoring of the remote access infrastructure.
Google confirms SuperVPN vulnerabilities
Google has confirmed that the SuperVPN application has some critical vulnerabilities. They allowed man-in-the-middle attacks, which could lead to the interception of traffic and its redirection servers instead of a secured VPN one. At the same time, SuperVPN has a high ranking and almost 100 million downloads in Google Play. As of the date of publication, the app remained vulnerable but was still present in Google Play.
Update on Mandrake spyware
A highly sophisticated spying platform Mandrake has been active for almost four years. Current research reveals that Mandrake operators perform individual attacks and the process is not automated. With the fast spread of banking trojans in Australia, it is believed that a Mandrake spying operation has recently targeted Australian Android users. It affected apps like Google Chrome, Gmail, ANZ Australia, Commonwealth Bank of Australia, Bank of Melbourne Mobile Banking, Bank of SA, Australian Super, and PayPal. The attackers could get access to preferences, screen recording, device usage and block calls or messages.
Zoom under attack
The conferencing app Zoom has become very popular among individual users and companies due to the pandemic, which raises some concerns among security researchers. By design, the application favors ease of use over security and privacy, so a number of flaws were found over the last weeks. Some zero-day vulnerabilities were discovered and publicly disclosed. At the same time, the company is facing a class-action lawsuit over the data its iOS app sent to Facebook. In the official statement, Zoom CEO wrote that the company is forced to stop feature development and focus on security improvements. Over the next weeks, Zoom will conduct third-party security audits and pentests.
SIM-swapping is still a threat
Earlier this year, a group of researchers showed how easy it is to perform a SIM swap attack at some of the prepaid mobile carriers. SIM swapping attacks could trick telecom companies into moving the victim’s phone number to a new SIM card, thus making multi-factor login and password recovery procedures vulnerable to adversary actions. Seventeen tested websites that use SMS-based multi-factor authentication (MFA) and SMS-based password recovery left accounts open to takeover from a SIM swap. After the report was issued, some of the services enhanced their security while others ignored the threat. The researchers claim that 9 of 17 websites are still vulnerable.