Uncertain Times — Infosec's here to help. Learn about remote testing and other COVID-19 resources.

Cybersecurity Weekly: COVID malware, Exchange Server flaw, Botnet dismantled

Category: Industry news
March 16, 2020

Coronavirus-themed malware is infecting PCs to steal passwords. A Microsoft Exchange Server flaw is being exploited in APT attacks. A large-scale botnet operation was dismantled by a coalition of security organizations. All this, and more, in this week’s edition of Cybersecurity Weekly.

 

1. Coronavirus map malware infecting PCs to steal passwords

A new attack is taking advantage of internet users’ increased craving for information about the novel coronavirus. The malware specifically targets victims who are looking for maps of the spread of COVID-19 on the internet, and tricks them into downloading and running a malicious application that compromises the computer.
Read more »

2. Microsoft Exchange Server flaw exploited in APT attacks

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges. The vulnerability in question was fixed as part of Microsoft’s February Patch Tuesday updates, but cybersecurity researchers are still seeing unpatched systems in the wild.
Read more »

3. Researchers warn of Novel PXJ ransomware strain

While PXJ performs functions similar to other ransomware variants, it does not appear to share the same underlying code with most known ransomware families. Researchers first identified PXJ on February 29, after discovering two samples that were uploaded to VirusTotal by a member of the community.
Read more »

4. Necurs botnet operation dismantled, millions of malicious domains disabled

A coalition of security organizations struck a major blow against the Necurs botnet, dismantling its infrastructure in a global takedown. The organization blocked an additional 6 million domains that were predicted to be used by the cybercriminals over the next 25 months.
Read more »

5. Open Exchange Rates data breach affects users of well-known organizations

Open Exchange Rates has announced a data breach that exposed the personal information and salted and hashed passwords for customers of its API service. The service’s API is used by companies such as Etsy, Shopify, Coinbase and Kickstarter — all of which have been affected by this data breach.
Read more »

6. New COVID ransomware acts as cover for Kpot infostealer

A new ransomware called CoronaVirus has been distributed through a website pretending to promote the system optimization software and utilities from WiseCleaner. The download links on the site distribute a file called WSHSetup.exe that acts as a downloader for both the CoronaVirus ransomware and a password-stealing trojan called Kpot.
Read more »

7. Crafty web skimming domain spoofs HTTPS

Security researchers recently discovered a new card skimming website that hides in plain sight from its victims. The site’s URL is http.ps, which can easily be mistaken for the standard https:// that precedes secure sites’ URLs. This domain has been stealing payment card details on several other sites over the past few weeks.
Read more »

8. Massive uptick in credential stuffing attacks against bank APIs

According to security researchers, 75 percent of all credential abuse attacks against the financial services industry in 2019 targeted APIs directly, rather than user-facing login pages. Several large-scale credential stuffing attacks saw over 55 million malicious login attempts in a span of only a few hours.
Read more »

9. New Android cookie-stealing malware hijacking Facebook accounts

A new strain of Android malware has been found in the wild that steals users’ authentication cookies from web browsers and other apps. Dubbed Cookiethief, the trojan works by acquiring superuser root rights on the target device and transferring stolen cookies to a remote command-and-control server.
Read more »

10. Critical patch released for wormable SMBv3 vulnerability

Last week, Microsoft released an emergency software update to patch a very dangerous vulnerability in the SMBv3 protocol that lets attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically. The latest patch is available on Microsoft’s website.
Read more »