Roundup It is time for another Reg security summary.
Scammers impersonate WHO boss
As happens every time there is a major news event, scumbags exploit the public’s interest to spread malware. This time, criminals have picked on the World Health Organization’s handling of the global COVID-19 coronavirus pandemic. Researchers at IBM X-Force report the HawkEye malware is being spread under the guise of an email alert from WHO director general Tedros Adhanom Ghebreyesus.
Victims are asked to open an attachment, launching the password-and-Bitcoin-harvesting Windows malware.
“One thing worth mentioning is that the attackers put some effort in hiding the real intention of it,” X-Force said. “The environmental awareness of our sample was quite good and average users would most likely not notice an info-stealer being installed.”
While most Reg readers know better than to fall for these scams, it is worth pointing out to keep less tech-savvy friends and family safe in these times of panic.
With everything going on, it’s easy to overlook this year’s Pwn2Own hacking competition, in which elite exploit developers are challenged to find vulnerabilities and compromise big-name products for big prizes. Among the winners this year were the team from Georgia Tech Systems Software and Security Lab, the hacking team Fluoroacetate, and the STAR LABS hacking team.
Software exploited by contestants included Ubuntu Linux, Oracle VirtualBox, Microsoft Windows, and Apple macOS: more details of the bugs that were found, exploited during the contest, and privately reported to vendors, will be shared when patches are available to install.
Drupal emits fixes
Admins running the Drupal CMS will want to make sure they are running the latest updates, following the release of a security update to address a cross-site-scripting hole.
“Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users,” Drupal says of the fix. “An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.”
Mozilla walks back TLS 1.0, 1.1 cuts
Mozilla is dialing back plans to drop support for the outdated and weak TLS 1.0 and 1.1 web encryption protocols in the Firefox browser. The move was meant to be a security measure, but has been called off for the time being to maintain support during the coronavirus pandemic.
“We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information,” Mozilla says.
Russian contractors hacked
A biz said to be working with Russia’s FSB was reportedly been hacked and outed as constructing an IoT botnet for the intel agency. The intruders said ODT (Oday) LLC was working to develop a Mirai-based botnet for the Russian government.
Personal info for 538 million Weibo users, including 172 million phone numbers, was discovered up for sale on the dark web.
FCC sounds alarm over Coronavirus scams
America’s comms watchdog, the FCC, has weighed in [PDF] on the trend of phishing and robocall scams around the coronavirus outbreak. The scams range from fake cures and test kits to HVAC cleaning services.
“We’re tracking scams and sharing information to arm consumers about how imposters use spoofing and other tactics to steal their money and their identity,” said FCC consumer and governmental affairs bureau chief Patrick Webre. “The FCC fights these types of scams through enforcement of its rules, but our primary goal is to be proactive so Americans don’t fall victim to these bad actors.”
New Mirai variant detected
Palo Alto Networks’ Unit 42 has a rundown of Mukashi, an IoT botnet based on Mirai. The malware has been targeting Zyxel NAS boxes.
“Mukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts,” Unit42 said.
“Multiple, if not all, Zyxel NAS products running firmware versions up to 5.21 are vulnerable to this pre-authentication command injection vulnerability.”
Rogers warns of data leak
Canadian telecoms giant Rogers admitted some customer information was left sitting out in an exposed database.
The Canuck ISP said the database was used by one of its marketing partners and didn’t contain any passwords nor payment card numbers.
“Customer information that was used by the service provider to fulfill promotional offers on behalf of Rogers was included in the vendor database,” Rogers said the exposed info. “This was limited to customer name, address, account number, email address and telephone number.” ®