Cyber Security Headlines – September 20, 2021

Email scammers posed as DOT officials in phishing messages focused on $1 trillion bill

Shortly after Congress took action on a $1 trillion infrastructure bill, hackers posing as U.S. Transportation Department officials offered fake project bid opportunities to seduce companies into handing over Microsoft credentials, researchers say. The ploy included layers of attempts to disguise the malicious appeals as authentic government solicitations, and even eventually led the would-be victims back to the actual Department of Transportation website. “In what may be an ironic twist, the phishers also copied and pasted in a real warning about how to verify actual U.S. government sites,” security researcher Roger Kay of the firm INKY stated. “The victim might have noticed that something was up if they had realized that the phishing site domain ended in .com rather than .gov or .mil.”

(Cyberscoop)

A new banking Trojan abuses YouTube for remote configuration

The Numando trojan implements backdoor capabilities to simulate mouse and keyboard actions, restart and shutdown machines, and display overlay windows every time a victim visits a financial organization website in order to capture the credentials provided. Numando which focuses currently on LAtina America, leverages public services such as Pastebin and YouTube for the remote configuration. Researchers at ESET reported the existence of the trojan to Google, who quickly removed them.

(Security Affairs)

Admin of DDoS service behind 200,000 attacks faces serious prison time

At the end of a nine-day trial, a jury in California this week found 32-year old Matthew Gatrel of St. Charles, Illinois, guilty of being the administrator of two distributed denial-of-service (DDoS) operations also called “booters“ or “stressers.” His websites, DownThem and Ampnode, allowed paying users to launch more than 200,000 DDoS attacks on targets in both the private and public sector, including schools, universities, municipal and local government websites, and financial institutions. Gatrel is facing a maximum statutory sentence of 35 years in a federal prison for the three felonies he has been found guilty of. His sentencing has been scheduled for January 27, 2022.

(Bleeping Computer)

US government sites showing porn and Viagra ads due to shared software vendor

Security researcher Zach Edwards has traced the issue down to certain.gov and .mil domains that use a common software product provided by Laserfiche, a government contractor. Laserfiche provides services to the FBI, CIA, U.S. Treasury, the military, and many more government bodies. Its software product called Laserfiche Forms contains a vulnerability that has allowed threat actors to push malicious and spam content on reputable government sites. Laserfiche has now released a security advisory for the vulnerability, along with instructions on how to clean up the websites. They state the root cause of the issue as an unauthenticated File Upload vulnerability.

(Bleeping Computer)

Thanks to our episode sponsor, Kanu Solutions

Over the next few weeks Kanu Solutions is offering a series of educational sessions on a variety of topics in security, such as endpoints, networks, privileged access management, Internet of things, and governance, risk management and compliance, or GRC. Attend these sessions to get some savvy education from the security experts at Kanu Solutions. You could also get a twenty dollar UberEats Gift Card just for attending. You can participate in Kanu Solutions’ Lunch-n-Learn by registering at kanusolutions.com/events.

Threat actor has been targeting the aviation industry since at least 2018

Security researchers from Cisco Talos team have uncovered a spear-phishing campaign that has been targeting the aviation industry for two years undetected. The threat actor behind this campaign is believed to be based out of Nigeria and is not technically sophisticated, using off-the-shelf malware throughout the campaigns. The spear-phishing messages use bait documents specifically crafted to target the aviation or cargo industry that purport to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of remote access trojans (RATs) like AsyncRAT and njRAT. Evidence collected by experts suggests that the threat actor has been active at least since 2013 and their small operational is credited for their success.

(ZDNet)

Yes, of course there’s now malware for Windows Subsystem for Linux

Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft’s Windows Subsystem for Linux (WSL) to install unwelcome payloads. On Thursday, Black Lotus Labs, the threat research group at Lumen Technologies, said it had spotted several malicious Python files compiled in the Linux binary format ELF (Executable and Linkable Format) for Debian Linux. “These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls,” Black Lotus Labs said in a blog post.

(The Register)

AT&T phone-unlocking malware ring costs carrier $200M

Muhammad Fahd of Pakistan and Grenada, is facing 12 years behind bars after effectively compromising AT&T’s internal networks to install credential-thieving malware. He was convicted of grooming AT&T employees at a Bothell, Wash. call center to use their AT&T credentials to sever phones from the AT&T network for customers who were still under contract — meaning those customers could take their newly independent phones to another service. Next, Fahd got them to install custom malware and “hacking tools that allowed him to unlock phones remotely from Pakistan,” according to court documents. In all, the 35-year-old Fahd effectively defrauded AT&T out of more than $200 million in lost subscription fees after divorcing nearly 2 million mobile phones from the carrier.

(Threatpost)

Customer care giant TTEC hit by ransomware

The company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack, KrebsOnSecurity has learned. Englewood, Co.-based TTEC now has nearly 60,000 employees, most of whom work from home and answer customer support calls on behalf of a large number of name-brand companies, like Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon. A widespread system outage that began on Sunday, Sept. 12 was later confirmed as a ransomware attack possible by Ragnar Locker or a group pretending to be them.

(KrebsOnSecurity)


Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.